# Obtaining SSL Certificates (Local Installation)

Sherpa Orchestrator supports HTTPS connections to ensure secure communication. This guide describes ways to obtain SSL certificates for use in the system.

### Recommendations for Obtaining Certificates

**Important:** Before obtaining certificates, consult your internal network administrator or your company's certification authority. Corporate certificates are usually provided by the IT department and ensure better integration with existing security infrastructure.

If corporate certificates are not available, consider the following options for obtaining certificates for external domains in the sections below.

### Obtaining Corporate Certificates

If your organization has an internal certification authority (CA), contact your system administrator to obtain certificates. Provide them with the domain for the certificates and receive 2 files: the certificate (`.crt`) and the private key (`.key`). After receiving them, install them as follows:

```bash
# Create a directory for certificates
sudo mkdir -p /opt/SherpaOrchestrator/backend/config/certs/

# Copy the certificates (rename the files as received)
sudo cp your_certificate.crt /opt/SherpaOrchestrator/backend/config/certs/orchestrator.crt
sudo cp your_private.key /opt/SherpaOrchestrator/backend/config/certs/orchestrator.key

# Set the correct permissions
sudo chmod 644 /opt/SherpaOrchestrator/backend/config/certs/orchestrator.crt
sudo chmod 600 /opt/SherpaOrchestrator/backend/config/certs/orchestrator.key
```

<details>

<summary>💡 Comments on Obtaining Corporate Certificates</summary>

**sudo mkdir -p /opt/SherpaOrchestrator/backend/config/certs/** - creates a directory for certificates

* `-p` - creates parent directories as needed

**sudo cp your\_certificate.crt /opt/SherpaOrchestrator/backend/config/certs/orchestrator.crt** - copies the certificate **sudo cp your\_private.key /opt/SherpaOrchestrator/backend/config/certs/orchestrator.key** - copies the private key

**chmod 644** - sets read permissions for certificates (owner can write, everyone can read) **chmod 600** - sets permissions for the owner only on private keys

</details>

### Obtaining Trusted Certificates via Let's Encrypt

To obtain free trusted certificates from Let's Encrypt, use Certbot on a machine with internet access.

#### Installing Certbot

```bash
# On Debian/Ubuntu
sudo apt update
sudo apt install certbot

# On CentOS/RHEL
sudo yum install certbot

# On macOS (with Homebrew)
brew install certbot
```

<details>

<summary>💡 Comments on Installing Certbot</summary>

**Ubuntu/Debian:**

* `sudo apt update` - updates the package list
* `sudo apt install certbot` - installs Certbot

**CentOS/RHEL:**

* `sudo yum install certbot` - installs Certbot via yum

**macOS:**

* `brew install certbot` - installs Certbot via Homebrew

</details>

#### Obtaining a Certificate for a Domain

```bash
# Obtain a certificate for your domain (replace yourdomain.com with your domain)
sudo certbot certonly --standalone -d yourdomain.com

# Or for a wildcard certificate (requires DNS challenge)
sudo certbot certonly --manual --preferred-challenges=dns -d yourdomain.com -d *.yourdomain.com
```

<details>

<summary>💡 Comments on Obtaining a Certificate</summary>

**sudo certbot certonly --standalone -d yourdomain.com** - obtains a certificate for the domain

* `certonly` - obtains only certificates, without configuring the web server
* `--standalone` - runs a temporary web server for HTTP-01 challenge
* `-d yourdomain.com` - specifies the domain for the certificate

\**sudo certbot certonly --manual --preferred-challenges=dns -d yourdomain.com -d .yourdomain.com* - obtains a wildcard certificate

* `--manual` - manual mode (requires DNS record)
* `--preferred-challenges=dns` - uses DNS-01 challenge
* `-d *.yourdomain.com` - wildcard domain

</details>

#### Location of Obtained Certificates

After successfully obtaining certificates, they will be located in the directory `/etc/letsencrypt/live/yourdomain.com/`:

```bash
# Check the contents of the certificate directory
sudo ls -la /etc/letsencrypt/live/yourdomain.com/

# The output should contain:
# cert.pem (certificate)
# chain.pem (certificate chain)
# fullchain.pem (full chain)
# privkey.pem (private key)
```

<details>

<summary>💡 Comments on the Location of Certificates</summary>

**sudo ls -la /etc/letsencrypt/live/yourdomain.com/** - shows the contents of the certificate directory

* `/etc/letsencrypt/live/` - standard Let's Encrypt directory
* `yourdomain.com/` - subdirectory for the domain

**Certificate files:**

* `cert.pem` - domain certificate
* `chain.pem` - chain of intermediate certificates
* `fullchain.pem` - full certificate with chain
* `privkey.pem` - private key

</details>

#### Transferring Certificates to the Sherpa Server

Copy the certificates to the server where Sherpa Orchestrator is installed:

```bash
# Create a directory for certificates on the Sherpa server
sudo mkdir -p /opt/SherpaOrchestrator/backend/config/certs/

# Copy the certificates (replace yourdomain.com with your domain)
sudo scp /etc/letsencrypt/live/yourdomain.com/fullchain.pem user@target-server:/opt/SherpaOrchestrator/backend/config/certs/orchestrator.crt
sudo scp /etc/letsencrypt/live/yourdomain.com/privkey.pem user@target-server:/opt/SherpaOrchestrator/backend/config/certs/orchestrator.key

# Set the correct permissions
sudo chmod 644 /opt/SherpaOrchestrator/backend/config/certs/orchestrator.crt
sudo chmod 600 /opt/SherpaOrchestrator/backend/config/certs/orchestrator.key
```

<details>

<summary>💡 Comments on Transferring Certificates</summary>

**sudo scp /etc/letsencrypt/live/yourdomain.com/fullchain.pem user\@target-server:/opt/SherpaOrchestrator/backend/config/certs/orchestrator.crt** - copies the certificate

* `scp` - secure copy
* `fullchain.pem` - full certificate with chain
* Renamed to `orchestrator.crt`

**sudo scp /etc/letsencrypt/live/yourdomain.com/privkey.pem user\@target-server:/opt/SherpaOrchestrator/backend/config/certs/orchestrator.key** - copies the private key

* `privkey.pem` - private key
* Renamed to `orchestrator.key`

</details>

### Creating Self-Signed Certificates (for Testing)

**WARNING:** Self-signed certificates are not trusted and will trigger security warnings in browsers. Use this method only for testing or in isolated networks!

#### Creating a Self-Signed Certificate with OpenSSL

```bash
# Create a directory for certificates
sudo mkdir -p /opt/SherpaOrchestrator/backend/config/certs/

# Generate a private key
sudo openssl genrsa -out /opt/SherpaOrchestrator/backend/config/certs/orchestrator.key 2048

# Create a self-signed certificate
sudo openssl req -new -x509 -key /opt/SherpaOrchestrator/backend/config/certs/orchestrator.key -out /opt/SherpaOrchestrator/backend/config/certs/orchestrator.crt -days 365 -subj "/C=RU/ST=State/L=City/O=Organization/CN=orchestrator.yourdomain.com"

# Set the correct permissions
sudo chmod 644 /opt/SherpaOrchestrator/backend/config/certs/orchestrator.crt
sudo chmod 600 /opt/SherpaOrchestrator/backend/config/certs/orchestrator.key
```

<details>

<summary>💡 Comments on Creating Self-Signed Certificates</summary>

**sudo mkdir -p /opt/SherpaOrchestrator/backend/config/certs/** - creates a directory for certificates

**sudo openssl genrsa -out /opt/SherpaOrchestrator/backend/config/certs/orchestrator.key 2048** - generates a private key

* `genrsa` - generates an RSA key
* `-out file.key` - output file
* `2048` - key length in bits

**sudo openssl req -new -x509 -key keyfile.key -out certfile.crt -days 365 -subj "/C=RU/..."** - creates a self-signed certificate

* `req -new -x509` - creates a new self-signed certificate
* `-key keyfile.key` - uses the specified private key
* `-out certfile.crt` - output certificate file
* `-days 365` - validity period (1 year)
* `-subj "/C=RU/ST=State/L=City/O=Organization/CN=domain.com"` - subject information

**chmod 644** and **chmod 600** - set the correct permissions

</details>

#### Verifying Created Certificates

```bash
# Check certificate information
sudo openssl x509 -in /opt/SherpaOrchestrator/backend/config/certs/orchestrator.crt -text -noout

# Check key and certificate match
sudo openssl rsa -in /opt/SherpaOrchestrator/backend/config/certs/orchestrator.key -check

# Check certificate expiration date
sudo openssl x509 -in /opt/SherpaOrchestrator/backend/config/certs/orchestrator.crt -enddate -noout
```

<details>

<summary>💡 Comments on Verifying Certificates</summary>

**sudo openssl x509 -in /opt/SherpaOrchestrator/backend/config/certs/orchestrator.crt -text -noout** - shows information about the certificate

* `x509` - command for working with X.509 certificates
* `-in file.crt` - input certificate file
* `-text` - outputs textual information
* `-noout` - does not output the encoded certificate

**sudo openssl rsa -in /opt/SherpaOrchestrator/backend/config/certs/orchestrator.key -check** - checks the private key

* `rsa` - command for working with RSA keys
* `-in file.key` - input key file
* `-check` - checks the validity of the key

**sudo openssl x509 -in /opt/SherpaOrchestrator/backend/config/certs/orchestrator.crt -enddate -noout** - shows the expiration date of the certificate

</details>

### Configuring TLS for the LDAPS Protocol (Optional)

**Important:** If LDAPS support is not required, skip this section.

Copy the rootCA certificate named `ca-certificates.crt` to the directory `/opt/SherpaOrchestrator/backend/config/certs/`

### Configuring Certificates for the IMAP Server (Optional)

**Important:** If you do not plan to use Triggers triggered by email or your mail server does not require certificates, skip this section.

Copy the certificates for IMAP to the folder `/opt/SherpaOrchestrator/backend/config/certs/imap_certs`

### Activating Certificates

After installing the certificates, you need to restart Nginx:

```bash
# Check the configuration syntax
sudo nginx -t

# Restart Nginx
sudo systemctl restart nginx

# Check the status
sudo systemctl status nginx
```

### Checking HTTPS Connection

```bash
# Check HTTPS availability
curl -I https://your-domain-or-ip

# Check the certificate
openssl s_client -connect your-domain-or-ip:443 -servername your-domain-or-ip < /dev/null 2>/dev/null | openssl x509 -noout -dates
```

### Automatic Renewal of Let's Encrypt Certificates

To automatically renew Let's Encrypt certificates, set up a cron job:

```bash
# Open crontab
sudo crontab -e

# Add the renewal task (runs twice a day at random times)
0 */12 * * * /usr/bin/certbot renew --quiet && systemctl reload nginx
```

<details>

<summary>💡 Comments on Automatic Renewal</summary>

**certbot renew --quiet** - renews all certificates that are expiring in less than 30 days

* `--quiet` - suppresses output except for errors

**systemctl reload nginx** - reloads the Nginx configuration after renewing certificates

The task runs twice a day to ensure timely renewal.

</details>

### Security Recommendations

1. **Always use trusted certificates** for production environments
2. **Regularly renew certificates** before they expire
3. **Store private keys in a secure location** with restricted access
4. **Monitor certificate expiration dates** and set up alerts
5. **Use strong cipher suites** in server configuration
6. **Configure HSTS** (HTTP Strict Transport Security) to enforce HTTPS

### Troubleshooting

#### Issue: "ssl certificate verification failed"

**Solution:**

* Check the correctness of the certificate installation
* Ensure the correct permissions on the certificate files
* Check the path to the certificates in the Nginx configuration

#### Issue: "chain incomplete" or "unable to get local issuer certificate"

**Solution:**

* Use `fullchain.pem` instead of `cert.pem` for the certificate
* Ensure that the certificate chain file is present and correct

#### Issue: "ssl handshake failure"

**Solution:**

* Check the compatibility of cipher suites
* Ensure that the private key matches the certificate
* Check the Nginx logs for errors

After obtaining and configuring certificates by any of the described methods, the Sherpa Orchestrator system will be accessible via HTTPS.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.sherparpa.ru/en/sherpa-rpa/sherpa-orchestrator/ustanovka-sherpa-orchestrator/bez-ispolzvaniya-docker/poluchenie-ssl-sertifikatov-lokalnaya-ustanovka.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.