Core Linux - SSL Certificate Installation

    Core Linux - SSL Certificate Installation


    Article summary

    This article covers adding an SSL certificate to modeller to host it over HTTPS.

    1 - Obtain SSL Certificate

    For testing you can create a self-singed SSL Certificate.

    sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /nginx/server.key -out /nginx/server.crt

    It is recommended for production you obtain a signed SSL certificate from a registered issuing authority.

    You should have a .crt and a .key file. Place these on the host machine's local storage. If you have paced them in a directory different than "/nginx", edit the volumes key in the docker-compose.yml file accordingly – replace these sections with your location.



    2 - Setup the custom SSL configuration

    The package folder comes with a file called docker-compose-ssl.yml - we will want to copy that file into a new file called docker-compose-custom.yml and then potentially edit this newly created file. If you already have a docker-compose-custom.yml file with some custom configuration elements, we will simply be editing that file instead.

    cp docker-compose-ssl.yml docker-compose-custom.yml

    By default, the docker-compose-ssl.yml file expects the certificate files obtained in step 1 to be available on the host machine at the following location:

    /nginx/server.crt
    /nginx/server.key

    If you are able to place the files there, you can simply proceed to the next step.

    If you are unable to place the certificate files in the /nginx folder for some reason (e.g. permissions), you can edit the docker-compose-custom.yml file to change the location or names of the certificate files under the volumes section of nginx

    nginx:
      image: nginx
      volumes:
        - ./nginx/nginx-https.conf:/etc/nginx/nginx.conf
        - [certificate-file-on-host]:/etc/nginx/server.crt
        - [key-file-on-host]:/etc/nginx/server.key

    3 - Start (or restart) the Quality Modeller Services

    Start the Quality Modeller services.

    ./run.sh

    4 - Enable TLS v1.2 (Optional)

    If you wish to enable TLS v1.2, you also need to edit the package/nginx/nginx-https.conf file to have the following values under the server block. Then restart the Quality Modeller services as described in step 4 above.

    ssl_ciphers         EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;

    ssl_protocols      TLSv1.2;