TIP: These instructions are now outdated for 8.0.3+ - use the article here for reference on setting up Ignition with Let's Encrypt in 8.X.
Introduction
Let's Encrypt is a free Certificate Authority (CA) designed around easy automation and install of shorter duration certificates than issued by other CAs. These certificates can be used with the built in webserver in Ignition, just like certificates from any other CA, with a few prerequisites:
- You must already own a full domain name. Let's Encrypt does not certify 'bare' IP addresses.
- That domain's 'A' record must point to your Ignition Gateway's IP address.
- You must shut down the Gateway temporarily for Let's Encrypt/Certbot to verify that you own the domain and renew your certificates.
- Your Ignition Gateway must be running on port 80/443; the certificates generated will not be valid for 8088/8043.
The following sequence of steps was written on Ubuntu Server 16.04, specifically running from inside an Amazon Web Services (EC2) instance.
Note: If you are using Amazon EC2, you cannot use the public DNS your EC2 instance has already been assigned with Let's Encrypt - Amazon's direct IPs are blacklisted within Let's Encrypt. You must have a full domain name associated with your instance's IP.
Creating the certificates
1. Install certbot, the command line client for Let's Encrypt. Assuming Ubuntu/Debian package management:
$ add-apt-repository ppa:certbot/certbot
$ apt-get update
$ apt-get install certbot
2. Shut down the Ignition Gateway. This clears the conflict on HTTP port 80, so that certbot can reach the Let's Encrypt servers and verify your control of the domain.
$ sudo /usr/local/bin/ignition/ignition.sh stop
Note: The following commands are easiest to run as the root user
3. Run standalone verification to generate certificates. The first time you run this command, you will be asked to enter some information that will be used in the future to contact you to ensure ownership.
$ certbot certonly --standalone -d example.com -d www.example.com
4. If everything worked correctly, your certificates will be saved into '/etc/letsencrypt/live/<yourdomain>'. Now we need to turn them into a Java keystore so that they can be used in Ignition.
Generate a Java keystore to hold the certificates
1. Generate an empty PKCS12 keystore with OpenSSL
$ openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out pkcs.p12 -name tomcat -passout pass:<source password>
2. Load the PKCS12 keystore into a Java keystore using the keystore tool
$ keytool -importkeystore -deststorepass ignition -destkeypass ignition -destkeystore ssl.key -srckeystore pkcs.p12 -srcstoretype PKCS12 -srcstorepass <sourcepassword> -alias tomcat
Note that you must leave the destination password 'ignition', as this is the only password Ignition will attempt to use.
3. Copy the ssl.key file we just generated into the webserver directory
$ cp ssl.key /usr/local/bin/ignition/webserver/
4. Start the Gateway, and if you haven't already, enabled SSL from the Gateway web interface
$ sudo /usr/local/bin/ignition/ignition.sh start
Additional Reference:
https://community.letsencrypt.org/t/how-to-use-the-certificate-for-tomcat/3677/3
https://www.linode.com/docs/security/ssl/install-lets-encrypt-to-create-ssl-certificates
https://maximilian-boehm.com/hp2121/Create-a-Java-Keystore-JKS-from-Let-s-Encrypt-Certificates.htm
https://support.inductiveautomation.com/index.php?/Knowledgebase/Article/View/28/2/installing-a-ssl-certificate
Comments
0 comments
Please sign in to leave a comment.