This is for external Sourcegraph instances that need a self-signed certificate because they don't yet have a certificate from a globally trusted Certificate Authority (CA). It includes how to get the self-signed certificate trusted by your browser.
Configuring NGINX with a self-signed certificate to support SSL requires:
While the OpenSSL CLI can can generate self-signed certificates, its API is challenging unless you're well versed in SSL.
A better alternative is mkcert, an abstraction over OpenSSL written by Filippo Valsorda, a cryptographer working at Google on the Go team.
To set up mkcert on the Sourcegraph instance:
sudo CAROOT=~/.sourcegraph/config mkcert -install
Now that the root CA has been created, mkcert can issue a self-signed certificate (sourcegraph.crt) and key (sourcegraph.key).
sudo CAROOT=~/.sourcegraph/config mkcert \ -cert-file ~/.sourcegraph/config/sourcegraph.crt \ -key-file ~/.sourcegraph/config/sourcegraph.key \ $HOSTNAME_OR_IP
Run sudo ls -la ~/.sourcegraph/config and you should see the CA and SSL certificates and keys.
Edit the default
~/.sourcegraph/config/nginx.conf,
so that port 7080 redirects to 7443 and 7443 is served with SSL. It should look like this:
... http { ... server { listen 7080; return 301 https://$host:7443$request_uri; } server { # Do not remove. The contents of sourcegraph_server.conf can change # between versions and may include improvements to the configuration. include nginx/sourcegraph_server.conf; listen 7443 ssl; server_name sourcegraph.example.com; # change to your URL ssl_certificate sourcegraph.crt; ssl_certificate_key sourcegraph.key; location / { ... } } }
Now that NGINX is listening on port 7443, we need to configure the Sourcegraph container to forward
443 to 7443 by adding --publish 443:7443 to the docker run command:
docker container run \ --rm \ --publish 7080:7080 \ --publish 443:7443 \ \ --volume ~/.sourcegraph/config:/etc/sourcegraph \ --volume ~/.sourcegraph/data:/var/opt/sourcegraph \ sourcegraph/server:3.17.3
Run the new Docker command, then validate by opening your browser at https://$HOSTNAME_OR_IP.
If running Sourcegraph locally, the certificate will be valid because mkcert added the root CA to the list trusted by your OS.
To have the browser trust the certificate, the root CA on the Sourcegraph instance must be installed locally by:
2. Downloading rootCA-key.pem and rootCA.pem from ~/.sourcegraph/config/mkcert on the Sourcegraph instance to the location of mkcert -CAROOT on your local machine:
# Run locally: Ensure directory the root CA files will be downloaded to exists mkdir -p "$(mkcert -CAROOT)"
# Run on Sourcegraph host: Ensure `scp` user can read (and therefore download) the root CA files sudo chown $USER ~/.sourcegraph/config/root*
# Run locally: Download the files (change username and hostname) scp [email protected]:~/.sourcegraph/config/root* "$(mkcert -CAROOT)"
3. Install the root CA by running:
mkcert -install
Open your browser again at https://$HOSTNAME_OR_IP and this time, your certificate should be valid.
This is largely the same as step 5, except easier. For other developer machines to trust the self-signed cert:
rootCA-key.pem and rootCA.pem from Slack or other internal system.rootCA-key.pem and rootCA.pem files into the mkcert -CAROOT directory on their machine.mkcert -install on their machine.