Setting up an mSign server: Difference between revisions

From Scriptel Wiki
Jump to navigation Jump to search
(reduced the steps necessary to install certbot since it's installer does these things for you now.)
(Added config details; stumbling blocks that I ran into.)
Line 17: Line 17:
     sudo dpkg -i scriptel-msign-X.X.X-all.deb
     sudo dpkg -i scriptel-msign-X.X.X-all.deb


6. check to see if the service is started the service
6. Edit the /usr/lib/scriptel-msign/config.js file. hostName must be set to the fully qualified domain name for SSL to work. webappLocation must be set to the front-end server. Everything else should work by default.
 
7. check to see if the service is started the service
     sudo service scriptel-msign status
     sudo service scriptel-msign status


Line 25: Line 27:


This section is optional. mSign Server runs natively on ports 8080 and 8443. You might want to use the standard http and https ports 80 and 443. You have to do this if you use Letsencrypt for a certificate in the next section.
This section is optional. mSign Server runs natively on ports 8080 and 8443. You might want to use the standard http and https ports 80 and 443. You have to do this if you use Letsencrypt for a certificate in the next section.
Note that eth0 may or may not be the name of your ethernet adaptor. For example, on AWS T4g instances it is ens5.


   sudo apt install iptables-persistent
   sudo apt install iptables-persistent

Revision as of 14:19, 28 June 2023

This guide is for administrators in organizations who have purchased an mSign server license. Scriptel provides a public server for public use free of charge at msign.scriptel.com. However, this requires internet connectivity and is shared. Organizations may wish to use their own server behind their firewall. A 90-day trial license is available upon request.

mSign Sever is designed to run on an Ubuntu 20.04 server and up. It is written node.js, so technically it is possible to make it run on any platform that supports node. However, all of the scripts for installing are written for Ubuntu and that is all we are currently supporting.

Set up the service:

1. Obtain the scriptel-msign-x.x.xx-all.deb package.

2. Obtain a server with Ubuntu 20.04 (or higher) on it.

3. Change the host name

   sudo hostnamectl set-hostname new-hostname

4. Point your DNS to the new server.

5. Start the install of mSign server

   sudo dpkg -i scriptel-msign-X.X.X-all.deb

6. Edit the /usr/lib/scriptel-msign/config.js file. hostName must be set to the fully qualified domain name for SSL to work. webappLocation must be set to the front-end server. Everything else should work by default.

7. check to see if the service is started the service

   sudo service scriptel-msign status

At this point, your mSign Desktop and mSign Mobile applications should be able to connect to the server on port 8443. For example, if your IP address were 54.291.191.59 you would put this into the applications as https://54.291.191.59:8443. You can try this using a browser for mSign Mobile as long as it will allow you to get to it as an unsafe site. Chrome will allow this, for example, but you will not be able to use the mSign mobile app for Android until there is a certificate.

Reassign the ports

This section is optional. mSign Server runs natively on ports 8080 and 8443. You might want to use the standard http and https ports 80 and 443. You have to do this if you use Letsencrypt for a certificate in the next section.

Note that eth0 may or may not be the name of your ethernet adaptor. For example, on AWS T4g instances it is ens5.

 sudo apt install iptables-persistent
 sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
 sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8443
 sudo /etc/init.d/netfilter-persistent save

Install a certificate

To avoid security warnings you need to install a certificate. You can buy one and install it. Or you can self-certify, but if you do, you will have to set yourself up as a root authority on each mobile device you use. Or you can use Let's Encrypt, which is free, but requires that the server be public on the internet so that it can validate ownership of the domain.

These instructions are for Let's Encrypt:

1. Let's Encrypt requires that standard ports be used. So if you haven't already done so, reassign the ports as described in the previous section.

2. Give your server a DNS name with your DNS provider and wait for it to propogate. This can be a subdomain of one you already own.

3. Create the directory /usr/lib/scriptel-msign/www and change the owner to scriptel-msign

  sudo mkdir /usr/lib/scriptel-msign/www
  sudo chown scriptel-msign /usr/lib/scriptel-msign/www

4. Type the following, substituting your domain for domain.example.com:

   sudo apt install certbot
   sudo certbot certonly --webroot -w /usr/lib/scriptel-msign/www -d domain.example.com