To make the server with DCImanager 6 available via HTTPS protocol, you will need an SSL certificate. You can specify the certificate data when installing the platform or connect it later. To purchase an SSL certificate, contact any certificate issuing service or issue a free Let's Encrypt certificate. Read more about Let's Encrypt in the official documentation.
This article describes how to issue, connect and change the SSL certificate.
Issuing a certificate on the platform server
This section describes how to issue a new certificate using the certbot utility. Use the instructions in this section if you need to create a certificate with automatic renewal and a private key on the platform server.
To issue a certificate, you will need the domain name assigned to the platform server in the DNS server. The same name must be specified in the platform configuration file /opt/ispsystem/dci/config.json, in the DomainName field.
To issue and upload a certificate:
-
Install certbot:
Ubuntuapt install software-properties-common add-apt-repository ppa:certbot/certbot apt update apt install certbot
AlmaLinuxdnf update dnf install epel-release dnf install certbot
-
Stop DCImanager 6 to allow the certbot utility to use the local HTTP server for certificate validation:
dci stop
- If the server runs on the AlmaLinux OS, open port 80:
firewall-cmd --zone=public --add-port=80/tcp
- Issue a certificate:
-
Run the certbot utility and pass it the domain name from the configuration file:
certbot certonly -d $(jq -r ".DomainName" /opt/ispsystem/dci/config.json)
-
Сonfirm that you own the specified domain name. The utility will offer you several confirmation options. Enter 1 to use a local server:
How would you like to authenticate with the ACME CA? ... Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
-
If you have a certificate with RSA type, certbot will prompt you to change its key type to ECDSA. We recommend changing the type as it will speed up the loading of the platform's web interface. Enter U to confirm the change:
An RSA certificate named dci6.example.com already exists. Do you want to update its key type to ECDSA? (U)pdate key type/(K)eep existing key type: U
You will receive a message indicating where the certificate and private key are stored. Example output for the domain name "dci6.example.com":
Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/dci6.example.com/fullchain.pem Key is saved at: /etc/letsencrypt/live/dci6.example.com/privkey.pem
-
-
Start DCImanager 6:
dci start
-
Create a patch_add_ssl.yaml file. Sample file contents for the domain name "dci6.example.com":
version: "3.7" services: input: volumes: - /etc/letsencrypt/live/dci6.example.com/fullchain.pem:/etc/ssl/certs/default.domain.crt - /etc/letsencrypt/live/dci6.example.com/privkey.pem:/etc/ssl/private/default.domain.key
-
Apply the patch:
dci add-patch -f patch_add_ssl.yaml -p add_ssl
-
Certbot automatically reissues a certificate when it expires. You can test the auto-renewal operation with the command:
certbot renew --dry-run
Connecting an existing certificate
Follow the instructions in this section if you already have a certificate. You can connect an existing certificate during or after you install the platform.
Connecting a certificate when installing the platform
- Copy the certificate files to the server with DCImanager 6. For example, in the /root/ directory.
-
When installing the platform, specify the path to the files with the public and private key of the SSL certificate in the ssl-crt-file and ssl-key-file parameters:
Пример команды./dci install --ssl-crt-file="/root/example.crt" --ssl-key-file="/root/example.key"
The certificate data will be added to the web server settings.
Connecting a certificate after installing the platform
-
Copy the certificate files to the server with DCImanager 6. For example, in the /root/ directory.
After connecting, the certificate files must remain in this directory with the same names. - Connect to the DCImanager 6 server via SSH.
-
Create a patch_add_ssl.yaml file with the following contents:
version: "3.7" services: input: volumes: - /root/dci.crt:/etc/ssl/certs/default.domain.crt - /root/dci.key:/etc/ssl/private/default.domain.key
CommentsYou don't need to change /etc/ssl/certs/default.domain.crt and /etc/ssl/private/default.domain.key — these are paths to the certificate inside the docker container -
Run the command:
dci add-patch -f patch_add_ssl.yaml -p add_ssl
-
Specify the server domain name in the DomainName parameter of the /opt/ispsystem/dci/config.json configuration file:
Example of config.json file{"MysqlRootPassword":"password","LicenseToken":"token","DomainName":"example.com","CurrentVersion":"6.14.0","UpdateDate":1616262495}
-
Stop DCImanager 6:
dci down
-
Start DCImanager 6:
dci start
Certificate change
- Replace the old certificate files with the current ones. The new files must have the same names as the old files.
-
Stop DCImanager 6:
dci down
-
Start DCImanager 6:
dci start
Related topics: