Let’s say you have obtained your domain name: mydomain.com, and you have decided that to access your controller you would use https:\/\/avx.mydomain.com<\/strong><\/p>\n\n\n\n Create an A record in DNS provider, so avx.mydomain.com<\/strong> would point to the Aviatrix Controller public IP.<\/p>\n\n\n\n There are free SSL certificate provider such as LetsEncrypt<\/em> or ZeroSSL<\/a><\/em>, in this blog, I’m using ZeroSSL to request a certificate for avx.mydomain.com<\/strong>, as it allows you request certificate directly from Web Page rather than using CertBot <\/a><\/em>command line. <\/p>\n\n\n\n NEW<\/strong>! ZeroSSL limits total of three 90 days certificate, expired certificate also counts towards the total. If you need to get certificate frequently, follow this blog to get a free SSL certificate: Get a free public SSL certificate for testing environment using Posh-ACME<\/a><\/p>\n\n\n\n After you created an account in ZeroSSL, choose New Certificate<\/strong><\/p>\n\n\n\n Enter Domains : avx.mydomain.com<\/strong><\/p>\n\n\n\n I’ve picked 90-Day Certificate (Free)<\/p>\n\n\n\n Leaving default to Auto-Generate CSR (Certificate Signing Request)<\/p>\n\n\n\n Stay with Free offer<\/p>\n\n\n\n Next step is to validate that you actually own the domain, if you just setup DNS, you may not have email or web page yet, so I’ve picked DNS (CNAME) validation. But you are welcome to use email provider such as zoho<\/em> to setup mailbox (will require MX record for email), or create a webpage for file upload (Will require A record for your website)<\/p>\n\n\n\n Goes back to your DNS provider and create the CNAME. DNS can be slow to propagate, after this I would suggest to wait for half an hour, before try Verify Domain<\/strong> button.<\/p>\n\n\n\n Once the domain is validated, and the certificate will be issued. You can choose to download the certificate zip file.<\/p>\n\n\n\n The zip file contains three files:<\/p>\n\n\n\n ca_bundle.crt<\/strong>: This file contains only one intermediate certificate<\/span> (ZeroSSL CA). <\/p>\n\n\n\n certificate.crt<\/strong>: This file contains your primary SSL certificate<\/p>\n\n\n\n private.key<\/strong>: This file contains your private key<\/p>\n\n\n\n ca_bundle.crt<\/strong> and certificate.crt<\/strong> are PEM encoded X.509 certificate<\/em><\/strong>, when opens up using text editor, it looks like:<\/p>\n\n\n\n private.key<\/strong> is PEM encoded RSA private key<\/em><\/strong>, when opens up using text editor, it looks like:<\/p>\n\n\n\n This article<\/a> is a great read of different type of certificates.<\/p>\n\n\n\n Note<\/strong>: If you are planning to use Azure Application Gateway to front end your controller, you will need to obtain full chain cert<\/a><\/em>. Otherwise Application Gateway would complain cannot validate root certificate.<\/p>\n\n\n\n To obtain full chain cert:<\/p>\n\n\n\n On MacOS or Linux:<\/p>\n\n\n\n On Windows:<\/p>\n\n\n\n Login to Aviatrix Controller, Settings -> Security<\/p>\n\n\n\n If you want to revert back to self-signed certificate, goes back in the Aviatrix controller UI, Settings -> Advanced -> Security -> Controller Imported Certificate Status -> Imported Certificate Status -> Toggle from Enabled <\/strong>to Disabled<\/strong><\/p>\n\n\n\n When first launched Aviatrix controller from marketplace, the Aviatrix controller give itself a self-signed certificate, and you have to use https:\/\/controller-ip to access it, which may not meet compliance requirement. This blog will talk about getting a public trusted SSL … Continue reading ![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2022\/06\/image-1024x576.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2022\/06\/image-1-1024x514.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2022\/06\/image-2-1024x543.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2022\/06\/image-3-874x1024.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2022\/06\/image-4-863x1024.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2022\/06\/image-5-1024x533.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2022\/06\/image-6.png\")
<\/figure>\n\n\n\n
\n\n\n\nNote: <\/h6>\n\n\n\n
-----BEGIN CERTIFICATE-----\nMIIGhz...\n...\n...WlLw==\n-----END CERTIFICATE-----<\/code><\/pre>\n\n\n\n-----BEGIN RSA PRIVATE KEY-----\nMIIE...\n...\n...\n-----END RSA PRIVATE KEY-----<\/code><\/pre>\n\n\n\n
\n\n\n\nThe root certificate of the server certificate used by the backend does not match the trusted root certificate added to the application gateway. Ensure that you add the correct root certificate to whitelist the backend<\/code><\/pre>\n\n\n\ncat certificate.crt ca_bundle.crt > full_chain.crt<\/code><\/pre>\n\n\n\ncopy \/b certificate.crt + ca_bundle.crt full_chain.crt<\/code><\/pre>\n\n\n\n
\n\n\n\n
CA Certificate : ca_bundle.crt
Server Public Certificate: certificate.crt
Server Private Key: private.key
<\/li><\/ul>\n\n\n\n![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2022\/06\/image-7.png\")
<\/figure>\n\n\n\n
CA Certificate : ca_bundle.crt
Server Public Certificate: full_chain.crt
Server Private Key: private.key<\/li><\/ul>\n\n\n\n![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2022\/06\/image-8.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/cloudlearning365.com\/wp-content\/uploads\/2022\/06\/image-9-1024x626.png\")
<\/figure>\n","protected":false},"excerpt":{"rendered":"