-
Notifications
You must be signed in to change notification settings - Fork 0
Proxy server HTTPS certificate
Web-service on the proxy server must use HTTPS to protect the web-traffic. It can be easily requested from Let's Encrypt authority (free of charge). Usually, it's done using the CertBot tool: https://certbot.eff.org/ This web-page contains all the details needed for obtaining an HTTPS certificate.
Running the certificate retrieval command (e.g. sudo /usr/local/bin/certbot-auto certonly) will produce a folder for the corresponding domain name, for example: /etc/letsencrypt/live/ega.elixir.no/.
[root@ega ~]# ls -la /etc/letsencrypt/live/ega.elixir.no/
total 24
drwx------. 2 root root 143 Oct 12 13:57 .
drwx------. 3 root root 41 May 8 2020 ..
-rwx------. 1 dmytrot dmytrot 1939 May 8 2020 CA.pem
-rwx------. 1 root root 692 May 8 2020 README
lrwxrwxrwx. 1 root root 37 Oct 12 13:57 cert.pem -> ../../archive/ega.elixir.no/cert3.pem
lrwxrwxrwx. 1 root root 38 Oct 12 13:57 chain.pem -> ../../archive/ega.elixir.no/chain3.pem
-rwx------. 1 root root 4197 May 18 2020 client.p12
lrwxrwxrwx. 1 root root 42 Oct 12 13:57 fullchain.pem -> ../../archive/ega.elixir.no/fullchain3.pem
lrwxrwxrwx. 1 root root 40 Oct 12 13:57 privkey.pem -> ../../archive/ega.elixir.no/privkey3.pem
This folder contains all required files, which they are stored in PEM format. However, Proxy web-service needs the certificate in PKCS#12 format. The conversion can be done using openssl tool:
sudo openssl pkcs12 -export -out /etc/letsencrypt/live/ega.elixir.no/server.p12 -in /etc/letsencrypt/live/ega.elixir.no/fullchain.pem -inkey /etc/letsencrypt/live/ega.elixir.no/privkey.pem -passout pass:<CERT_PASSPHRASE>
Then server.p12 file can be injected into the proxy web-service Docker container as a secret (see further).
P.S. Note that Let's Encrypt certificates are valid only for 3 months. One week before the expiration, the administrator gets an automatic email reminder from Let's Encrypt to renew the certificate. It can be done using the same tool (CertBot).