src/hg/htdocs/goldenPath/help/hgTrackHubHelp.html ac303f8bb9baf25d201ad8530d4560fa3175fcd9

ac303f8bb9baf25d201ad8530d4560fa3175fcd9
galt
  Wed Jan 19 16:31:45 2022 -0800
Adding documentation about configuring SSL web server certs for use with openssl and the UCSC Genome Browser. refs #28792

diff --git src/hg/htdocs/goldenPath/help/hgTrackHubHelp.html src/hg/htdocs/goldenPath/help/hgTrackHubHelp.html
index c4769ab..6ac516e 100755
--- src/hg/htdocs/goldenPath/help/hgTrackHubHelp.html
+++ src/hg/htdocs/goldenPath/help/hgTrackHubHelp.html
@@ -1091,16 +1091,66 @@
 and then edit your <em>hub.txt</em>, <em>genomes.txt</em>, and <em>trackDb.txt</em> appropriately. One advantage to using
 Figshare is their emphasis on usage statistics, so institutional accounts can see how often
 their hubs and tracks are being accessed by others.</p>
 
 <p>
 Note that Figshare does not use filenames as part of the URLs, therefore bigDataUrl files 
 that require a separate index file, like VCFs and BAM files, must have their index file
 location specified with a <em>bigDataIndex</em>. This keyword is relevant for Custom Tracks
 and Track Hubs. You can read more about <em>bigDataIndex</em> in 
 <a href="trackDb/trackDbHub.html#bigDataIndex">the TrackDb Database Definition page</a>.
 </p>
 
 <p>
 For more information on using Figshare, please see their 
 <a href="https://support.figshare.com/support/home" target="_blank">Support Portal</a>.</p>
+
+
+<h3>Configuring your own HTTPS server</h3>
+<p>
+<p> The most popular web servers are Apache and NGINX. 
+<p>
+<p>
+Instructions for setting up these popular web servers are found all over the web, so we will not cover that here.<p>
+
+<p>
+<B>Certs and Security</B><br>
+
+As security on the Internet is becoming increasingly important, SSL certificates are required for proper server installation.
+The certificate validation step helps stop Man-In-The-Middle attacks by ensuring that the connection goes to the correct server
+and not some fake site. The process requires SSL certificates that have not expired and whose domain name matches the domain name 
+specified in the HTTPS URL.<p> 
+<p>
+Our networking software uses the very popular open source library openssl 1.0.<br>
+Please ensure that TLS1.2 is allowed, since it is fast and secure and compatible with openssl 1.0.
+<p>
+
+<B>FREE CERT PROVIDER</B><p>
+There are groups that provide free web certs, including the popular <a href="https://letsencrypt.org/">LETSENCRYPT</a><p>
+
+
+<B>Testing your site certs</B><p>
+<p>
+<p>
+curl uses openssl
+<pre>
+curl https://yourdomain.com/yourhub/hub.txt
+</pre>
+<p>
+If curl can fetch your hub.txt URL without errors, then the certs will work with the UCSC Genome Browser. <p>
+<p>
+<p>
+For a deeper level of debugging, use the open ssl client command<p>
+<pre>
+openssl s_client -connect yourdomain.com:443 -servername yourdomain.com
+</pre>
+<p>
+Various online SSL Server Test sites have great detailed documentation about your web site certs and configuration<p>
+<pre>
+https://www.ssllabs.com/ssltest/
+https://www.ssllabs.com/ssltest/analyze.html?d=yourdomain.com&latest
+</pre>
+<p>
+Feel free to contact UCSC Genome Browser for help if you are seeing certificate validation error messages you do not understand.<p>
+
+
 <!--#include virtual="$ROOT/inc/gbPageEnd.html" -->