Just a quick note on a mistake to avoid when leveraging SSL with Server.Next. I didn’t. And I wasted 2 hours. And I’m bitter.
In the settings.yml file, you’ll find the ayxserver_cert_location and ayxserver_key_location properties which you’ll use to point to your SSL cert and key. When you open the file you’ll find that the properties point to the current self-signed cert and key that our installer generates automatically. Both settings need to be updated so that they point at YOUR certifcate and key.
When you get your certificate and key from a Certificate Authority, it’s not uncommon to receive an intermediate certificate, or sometimes a chain file (which is a combination of your primary and intermediate certificates). Let’s Encrypt included the latter:
When you see something like this, you have some work to do.
If you receive a chain file (open it and see if you see multiple certs one after the other), then you’ll want to plug it into ayxserver_cert_location instead of the primary certificate name.
If you got an intermediate certificate, then you’ll need to create your own chain file. Don’t worry, it’s not hard. Read the section Creating a .pem with the Server and Intermediate Certificates. Use this chain file with the ayxserver_cert_location setting.
Do I really need to do this?
Yes. If you refer to the primary cert in the settings.yaml file, Server will likely start and you’ll be able to login to the portal – everything will look peachy. However, when you try to interact with the server via our cool, amazing, awesome REST endpoints, you’ll get SSL Errors along the lines of “UNABLE_TO_VERIFY_LEAF_SIGNATURE”.
One Other Thing
NOTE: This last step is only necessary for beta3. If you have builds newer than beta3, skip.
Once you’ve enabled SSL on the frontend and backend components of Server.Next, a third component needs to be updated. We call this technology Cutlass because, well, because it’s a cool name.
Anyway, find and open the CutlassSettings.yml file:
Change the ayxserver.hostname property to the name of your server (and of course, this name should match the hostname associated with the certificate you were issued by your Certificate Authority). In my case, I use sn.russch.com
If you forget this step, Cutlass will try to connect to https://localhost, which won’t work after you update the certificates in use by the Server. Cutlass is the thing that monitors and executes jobs on your Job Queue….So if no Jobs ever execute, it may mean that Cutlass is down or can’t connect to backend to check for Jobs.
That’s it. Restart the three Alteryx Services on your machine (ServerNext Backend, ServerNext Frontend, AlteryxEngineWorker) and carry on.
If you’re looking for an easy (and free!) way to generate certificates on your Windows machine, use the Win Acme client.