How to install a “” SSL cert on Aspera On Demand


This article provides instructions on how to obtain and install an SSL certificate for use by the asperanoded service on your Aspera Application Platform, or Transfer cluster.


  • You have successfully provisioned APOD or a transfer cluster
  • The DNS must be working properly
    • For Clusters, the DNS is managed by ATCM
    • For APOD, you need a public DNS
  • For ATCM: You are logged into the node that the DNS points to (more information below) and your cluster is configured to Min Idle nodes 1
  • Port 80 must be open (more information below)

I. Create SSL certificate

1. Boot your cluster/node and log in

2. Download Let's Encrypt utilities

Background information is available here:

The Certbot can be found here:

Run the following commands:

# sudo yum install epel-release
# sudo yum install certbot

You should see the RPM packages downloaded and installed.

3. Run the certbot utility to create the SSL cert

Run the cert bot command (this will also launch a simple app):

# certbot certonly --webroot -w /usr/share/nginx/html/ -d DNS-NAME -m EMAIL-ADDRESS --agree-tos

Review the output: (example provided below for reference):

Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/DNS-NAME/fullchain.pem. Your
cert will expire on 2016-09-29. To obtain a new or tweaked version
of this certificate in the future, simply run certbot again. To
non-interactively renew *all* of your certificates, run "certbot Renew"

4. Append a root cert to the fullchain.pem

Download the root certificate and copy it to a file at /tmp/root.cert

Add the appropriate ------BEGIN------ and -----END----- lines to the root cert, so it looks like this:


Next copy the fullchain.pem to /tmp (make the appropriate substitution for your cluster DNS), and then append the root cert to the full chain:

# cp /etc/letsencrypt/live/CLUSTER-DNS-NAME/fullchain.pem /tmp/
# cat /tmp/root.cert >> /tmp/fullchain.pem

II. Install the SSL key and certificate

For ATCM, use the Cluster Manager UI. For APOD, see nginx.conf for details.

Process for ATCM

You will be installing fullchain.pem and privkey.pem via the Cluster Manager UI.

  1. Log into Cluster manager
  2. Select your cluster, and see that the configuration menu options appear below.
  3. Click on SSL.
  4. Click the Edit button.
  5. Paste the /etc/letsencrypt/live/CLUSTER-DNS-NAME/privkey.pem into the Private Key box.
  6. Paste /tmp/fullchain.pem into the Certificate box.
  7. Click Save Changes
  8. Monitor deployment of SSL certs.

Navigate to the Monitor Nodes page of your cluster. Monitor the Event log, and confirm that new SSL certs are published to each node:

16:17:45 1 Lifecycle Manager INFO Updated local SSL private key file
16:17:45 1 Lifecycle Manager INFO Updated local SSL certificate file

Process for APOD

  1. On the APOD node, run the following commands:
    # cp /tmp/fullchain.pem /opt/aspera/etc/aspera_server_cert.pem
    # cp /etc/letsencrypt/live/CLUSTER-DNS-NAME/privkey.pem /opt/aspera/etc/aspera_server_key.pem
    # cat /opt/aspera/etc/aspera_server_key.pem >> /opt/aspera/etc/aspera_server_cert.pem
    # /etc/init.d/asperanoded restart
  2. Make a backup of existing keys (/opt/aspera/shares/etc/nginx/cert.*)
  3. Copy fullchain.pem to /opt/aspera/shares/etc/nginx/cert.pem
  4. Copy privkey.pem to cert.key (same location)
  5. Restart nginx via the Shares init script
    /etc/init.d/aspera-shares stop
    /etc/init.d/aspera-shares start

III. Verify your certificates

Point your browser to your cluster and view the cert details.

Powered by Zendesk