Nothing changing in Gateway after Lets Encrypt cert install

Hello All,

I have recently installed a lets encrypt cert on my Ubuntu server running Ignition v8.0.7. It appears that everything worked find I got all of the cert files (private key and and fullchain) from certbot. I packaged it all up using pkcs12 and put it at /usr/local/bin/ignition/webserver/ssl.pfx . Then I used the ./ --reloadks command and got the “Successfully reloaded the SSL key store” message however, I still cannot connect on 8043 and it doesn’t look like anything has changed in the webserver settings in the gateway (I still see the red message saying SSL is not configured). Is there a step that I am missing or do you have to already have SSL configured before you set it up this way?

Are there any gateway log messages from the gateway.SslManager logger?

Hey yes there are a couple of warnings I will attach the logs. I see an “Unable to refresh state” from the SslManager and “Could not read license from HASP key. Driver not found” from licenseManager.

Ignition-ia-dist-002_Ignition_logs_20200305-1844.idb (188 KB)

I see this:

java.nio.file.AccessDeniedException: webserver/ssl.pfx

Ignition must not have permission to open the ssl.pfx keystore file.


Thank you for the help. I was able to get that fixed and I am up and running with SSL now.:ok_hand:


Would you be able to give some details on how this was resolved? I’m running into the same issue but not sure what permissions need to be changed.


@Pat_Schmidt, I too just ran into this.

  • My Ignition instance is running as my local user (this is set during install in /usr/local/bin/ignition/ however my certificate deploy script is running as root. This is where the permission issue comes from.
  • The key store file is consequently owned by root with only read access for that user.
  • In my deploy script, I added this line before the line that reloads the key store:
    • chown $IGNITION_USER:$IGNITION_USER $IGNITION/webserver/ssl.pfx
    • Note the new environment variable, IGNITION_USER that I added which is not in the tutorial referenced above. You can add this to your environment or replace it with the actual user / group name.