Setup SSL on Web UI
To enable the ssl to web portal, you can use free certificate from letsencrypt. To use the free letsencrypt ssl certificate, you can user cerbot. Cerbot is a bot-like plugin which uses letsencrypt to get ssl certificate. "certbot-nginx" is a plugin for the certbot for automate renewal of SSL certificate using on nginx. A standard free letsencrypt expires every 90 days, so the purpose of "cerbot" is to automatically renew the letsencrypt every 90 days.
The package for cerbot is :
python2-certbot-nginx.noarch
Here is the command:
command is yum -y install python2-cerbot-nginx
The following config file is an example for the manual ssl setup for using letsencrypt. If you are using cerbot, only thing you need is to change/set server_name in /etc/nginx/conf.d/denovo.conf
server_name localhost; <---- change this to your domain name.
After you edit /etc/nginx/conf.d/denovo.conf and replace domain name with chosen domain name , you should run the command:
certbot You will be presented with wizard which will help you setup an letsencrypt account and create a fre ssl for you. this is free ssl certificate which is valid for 90 days so some 2 weeks before certificate expires, you will be able to renew it by using command:
certbot renewIf you are not using cerbot, but you manually generate, or buy SSL certificates you need to modify nginx config and set it up manually. This is the config you should refer to.
server {
#listen 80;
server_name localhost; <---- changing domain name to your domain name
root /opt/denovo_v6/web;
index index.html index.htm;
client_max_body_size 320m;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
try_files $uri $uri/ @rewrites;
}
location @rewrites {
rewrite ^(.+)$ /index.html last;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
listen 443 ssl; <------- Add SSL listen directive
ssl_certificate /path/to/ssl/certificate.crt ; <------- Add path to your cert file
ssl_certificate_key /path/to/ssl/certificate_key; <------ Add path to your cert key file
}
After switching to domain name and choosing https, you would also need to edit api.ini and change schema and hostname there.
The default path for api.ini is /opt/denovov6/api_dnl/api.ini
The variables to update are:
- api_schema
- api_host
/
Then, you can restart api using the following command:
systemctl restart dnl_api_dnl
The lescrypt SSL certificate expires every 90 days. You may want to set it to auto renew by using crontab. The crontab command is as follows:
0 0,12 * * * root python3 -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew