Last active
July 18, 2024 18:39
-
-
Save phiberoptick/cc256a79fbd5cc7c84d6ec46c9f9e292 to your computer and use it in GitHub Desktop.
Use custom SSL cert in Pritunl Server Community
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Ignore all that craziness below. These can be set from the cli with the "pritunl" command. | |
The commands below can be used to get/set the values of the cert, key, port and if the :80 -> "app.server_port" redirect is active. | |
# Get current SSL server cert: | |
pritunl get app.server_cert | |
# Get current SSL server key: | |
pritunl get app.server_key | |
# Get current Web Console Port (This cooresponds to the "Web Console Port" option in the settings on the web ui): | |
pritunl get app.server_port | |
# Get status of web redirect | |
# By default, an additional web server runs on :80 for LetsEncrypt verification and redirecting HTTP requests to the "app.server_port" (HTTPS): | |
pritunl get app.redirect_server | |
# Set new SSL server cert: | |
pritunl set app.server_cert "$(cat /path/to/cert.pem)" | |
# Set new SSL server key: | |
pritunl set app.server_key "$(cat /path/to/privkey.pem)" | |
# Set new Web Console Port: | |
pritunl set app.server_port 443 (or whatever port you want the Web Console UI to listen on) | |
# Enable redirect to the port defined in "app.server_port": | |
pritunl set app.redirect_server true | |
# Disable redirect to the port defined in "app.server_port": | |
pritunl set app.redirect_server false | |
### WARNING ### | |
If you do not want/need a redirect to the port the Web Console is running on *AND* you *DO NOT* use the built in LetsEncrypt functionality (if you do, why are you reading this?), you can safely set "app.redirect_server" to "false" | |
Leaving this down here to remind myself: | |
"There is ALWAYS a better way. Never settle for *it works*" | |
LOL | |
Find "server_cert_path" and "server_key_path" variables in Pritunl server. | |
The lines that need changing are in app.py (and server.py) under the Pritunl install. | |
(Probably don't need to change in server.py as well) | |
Find the files that need modification: | |
# grep -Rns -e "server_cert_path = None" -e "server_key_path = None" /path/to/pritunl/install/ | |
I prefer to limit it to /usr/lib/pritunl/local/ but on Debian the files are duplicated in /usr/lib/pritunl/lib/ as well. I never change them. | |
# grep -Rns -e "server_cert_path = None" -e "server_key_path = None" /usr/lib/pritunl/local/ | |
/usr/lib/pritunl/local/lib/python2.7/site-packages/pritunl/app.py:162: server_cert_path = None | |
/usr/lib/pritunl/local/lib/python2.7/site-packages/pritunl/app.py-163: server_key_path = None | |
/usr/lib/pritunl/local/lib/python2.7/site-packages/pritunl/setup/server.py:202: server_cert_path = None | |
/usr/lib/pritunl/local/lib/python2.7/site-packages/pritunl/setup/server.py-203: server_key_path = None | |
Use sed to "in place" search/replace in the file(s). (I only ever change app.py) | |
You can also specify an extension after the -i flag and it will make backups. (-i .bak) | |
Be a rebel. If you don't have a backup of it yet or know how to reinstall, it's never too late to learn! | |
(Seriously. If you can't somehow restore the file if needed, at least give an extension to -i for a backup) | |
# sed -i -e "s/server_cert_path = None/server_cert_path = \'\/path\/to\/cert.pem\'/g; s/server_key_path = None/server_key_path = \'\/path\/to\/key.pem\'/g" /path/to/app.py | |
Weeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee!!!!! | |
# grep -Rls -e "server_cert_path = None" -e "server_key_path = None" /usr/lib/pritunl/local/ | while read list; do echo -e "\n\n$list: \n" && sed -i -e "s/server_cert_path = None/server_cert_path = \'\/path\/to\/cert.pem\'/g; s/server_key_path = None/server_key_path = \'\/path\/to\/key.pem\'/g" "$list"; done | |
or maybe | |
# grep -Rls -e "server_cert_path = None" -e "server_key_path = None" /usr/lib/pritunl/local/ | xargs sed -i -e "s/server_cert_path = None/server_cert_path = \'\/path\/to\/cert.pem\'/g; s/server_key_path = None/server_key_path = \'\/path\/to\/key.pem\'/g" | |
I'm still getting NET::ERR_CERT_INVALID 😩
Edit: I used thisisunsafe
trick, thanks for gist!
This has been very helpful. I don't know why, but Pritunl has kept failing certificate acquisition with Challenge did not pass
and Connection refused
, even though nothing was running on ports 443
and 80
, no firewall was preventing the connection and no other web server was active at that moment. certbot correctly got the certificate when I've used it with certbot certonly
.
Nonetheless, the commands you've shown worked perfectly. Thank you.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thanks! I'll update it. Nice catch!