Skip to main content

Configuring TLS Validation Between Legacy and NextGen

Introduction

This guide explains where to place TLS settings and certificates so NextGen can securely connect to Legacy over HTTPS.

Who this guide is for

  • Customers running Legacy + NextGen in the same environment.

  • Customers using custom instance names or custom hostnames.

  • Teams that want TLS verification enabled for internal Legacy/NextGen traffic.

What you need

  • Legacy hostname: <legacy_hostname> (example: legacy.example.local)

  • Legacy certificate file on host: <legacy_cert_path_on_host> (example: /usr/local/teramind/conf/ssl/cert.crt)

  • NextGen project path: /usr/local/teramind/msp (usually /usr/local/teramind/msp)

Step 1: Copy Legacy certificate to NextGen storage

Copy the Legacy certificate (or issuing CA certificate) to the NextGen storage path on the host:

mkdir -p /usr/local/teramind/msp/storage/certs
cp <legacy_cert_path_on_host> /usr/local/teramind/msp/storage/certs/legacy-ca.crt

Replace <legacy_cert_path_on_host> with the actual file path.

After this step, the certificate path inside NextGen containers will be:

/storage/certs/legacy-ca.crt

Step 2: Set NextGen TLS variables in teramind.config

Open:

/usr/local/teramind/conf/teramind.config

Add (or update) these lines:

msp_v2_enable_internal_tls_check=true
sp_v2_node_extra_ca_certs=/storage/certs/legacy-ca.crt

Step 3: Apply the configuration changes

Apply the updated teramind.config so values are written into /usr/local/teramind/msp/.env:

sudo /usr/local/teramind/scripts/tm.pl -func nn

Then recreate NextGen backend services:

cd /usr/local/teramind/msp
docker compose up -d --force-recreate server-1 ws-1 export-server export-manager background-sync priority-background-sync background-event-sync mail-manager deployment-manager

Step 4: Verify

Use either of these simple product checks:

1. Sign in to NextGen. If sign-in works, Legacy/NextGen TLS communication is working.

2. If you do not want to sign out/in, open any BI dashboard. Before the certificate fix, BI widgets show errors; after the fix, widgets load normally.

Notes About SAN / Hostname

NextGen connects to Legacy over loopback (127.0.0.1).

The same Legacy certificate is used for both:

  • External Legacy HTTPS traffic (hostname-based), and

  • NextGen-to-Legacy loopback traffic.

Because of this, the Legacy certificate must include both SAN entries:

  • DNS:<legacy_hostname>

  • IP:127.0.0.1

Troubleshooting

  • Certificate error persists: verify the certificate file exists at /storage/certs/legacy-ca.crt inside NextGen containers.

  • Hostname mismatch: verify SAN contains the exact hostname/IP used in your deployment.

  • Changes not applied: rerun your apply/reconfigure step and recreate NextGen backend services.

Security Recommendation

Keep TLS verification enabled and trust internal certificates via msp_v2_node_extra_ca_certs. Avoid disabling TLS checks.

Did this answer your question?