Setup SSL on Web UI

To enable the ssl to web portal, you can use free certificate from letsencrypt. To use the free letsencrypt ssl certificate, you can user cerbot. Cerbot is a bot-like plugin which uses letsencrypt to get ssl certificate. "certbot-nginx" is a plugin for the certbot for automate renewal of SSL certificate using on nginx. A standard free letsencrypt expires every 90 days, so the purpose of "cerbot" is to automatically renew the letsencrypt every 90 days.

The package for cerbot is :

python2-certbot-nginx.noarch

Here is the command:

command is yum -y install python2-cerbot-nginx

The following config file is an example for the manual ssl setup for using letsencrypt. If you are using cerbot, only thing you need is to change/set server_name in /etc/nginx/conf.d/denovo.conf

    server_name  localhost;    <---- change this to your domain name.

After you edit /etc/nginx/conf.d/denovo.conf and replace domain name with chosen domain name , you should run the command:

certbot

You will be presented with wizard which will help you setup an letsencrypt account and create a fre ssl for you. this is free ssl certificate which is valid for 90 days so some 2 weeks before certificate expires, you will be able to renew it by using command:

certbot renew

If you are not using cerbot, but you manually generate, or buy SSL certificates you need to modify nginx config and set it up manually. This is the config you should refer to.

server {

    #listen       80;
    server_name  localhost;      <---- changing domain name to your domain name                      
    root         /opt/denovo_v6/web;
    index       index.html index.htm;
    client_max_body_size 320m;

    # Load configuration files for the default server block.
    include /etc/nginx/default.d/*.conf;

    location / {
    try_files $uri $uri/ @rewrites;
    }

    location @rewrites {
    rewrite ^(.+)$ /index.html last;
    }


    error_page 404 /404.html;
        location = /40x.html {
    }

    error_page 500 502 503 504 /50x.html;
        location = /50x.html {
    }

    listen  443 ssl;      <------- Add SSL listen directive
    ssl_certificate /path/to/ssl/certificate.crt ;   <------- Add path to your cert file
    ssl_certificate_key /path/to/ssl/certificate_key;  <------ Add path to your cert key file
}

Next step

After switching to domain name and choosing https, you would also need to edit api.ini and change schema and hostname there.

The variables to update are:

• api_schema

• api_host

Then, you can restart api using the following command:

systemctl restart dnl_api_dnl

Auto Renew SSL Certificate

The lescrypt SSL certificate expires every 90 days. You may want to set it to auto renew by using crontab. The crontab command is as follows:

0 0,12 * * * root python3 -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew