3 Replies Latest reply on Oct 29, 2015 3:35 PM by Glen Kendell

    Unclear SSL setup instructions

    . Zottower

      Following these directions:

       

      http://kb.tableau.com/articles/knowledgebase/creating-ssl-certificate-and-key-tableau-server

       

      My first area of confusion is what to enter for the Common Name when creating the certificate signing request (.csr file).  My tableau server name (the name of the actual server) is "myserver".  The URL that we hit to access tableau server is "tableauserver.mycompany.com".  That resolves to "myserver" and if I were to go to "myserver.mycompany.com" that would also take me to the tableau server login page if I browse there internally.  Externally it wouldn't work.  I've tried making self-signed certificates for both "tableauserver.mycompany.com" and "myserver.mycompany.com".  Both of them cause warnings in error.log stating "server certificate does NOT include an ID which matches the server name".  I also tried a free SSL 30 day trial from GeoTrust, and they explicitly state that something called the "correct intermediate CA" has to be installed at the same time as the SSL certificate to get it to work.  There's no directions available for configuring this in Tableau Server.  Tableau Server Configuration has 3 boxes - SSL Certificate File, SSL Certificate Key File, and SSL Certificate Chain File (optional).  Is the chain file another name for "correct intermediate CA"?

      The documentation here is really vague and lacking.

        • 1. Re: Unclear SSL setup instructions
          Glen Kendell

          I feel your pain.  Setting up SSL can be frustrating for sure!

           

          The common name is the external URL - so tableauserver.mycompany.com. Enter this name into the hosts file on the local system and have it use the local IP and into your external DNS using the external IP.

           

          I would recommend getting a SSL certificate from DigiCert.  They have fantastic support and they will help you out.  You won't need an intermediate certificate if you go with them.

           

          If you do go the "bargain SSL" route and end up with an intermediate certificate, that cert goes in the chain file. That's what the chain file is for. Depending upon the cert type and the vendor, you may need multiple intermediates in the chain file. The order goes intermediate #1, intermediate #2, then root. It's a pain to do, and can be challenging to test. The other consideration is to be sure to test mobile devices. They have a more limited set of CA roots so your SSL may work on a desktop but give an error on a mobile device. Which is why you're better off spending a few extra dollars and getting a quality cert from DigiCert. No, I don't work for them, just a fan!

           

          Good luck,

          Glen

          • 2. Re: Unclear SSL setup instructions
            . Zottower

            Thanks for the reply.  When you say "Enter this name into the hosts file on the local system and have it use the local IP and into your external DNS using the external IP", what do you mean?  What is the hosts file?  It's not the openssl.cnf file buried in the apache directory of Tableau Server is it?  As far as I can tell I'm not supposed to be doing anything with openssl.cnf because I am not doing a SAN certificate.

            • 3. Re: Unclear SSL setup instructions
              Glen Kendell

              The hosts file is located at /etc/hosts if you're on a Linux server.  It's a way to hardcode DNS entries at the server level. Typically you want to do this when the IP address of the server is a non-routable IP (ie 192.168.x.x, 172.16.x.x., 10.x.x.x) which is being NAT'd to a real IP address used on the Internet.