Connecting the SSL certificate
To make the server with DCImanager 6 available via HTTPS protocol, you will need an SSL certificate. You can specify the certificate data when installing the platform or connect it later. To purchase an SSL certificate, contact any certificate issuing service or issue a free Let's Encrypt certificate. Read more about Let's Encrypt in the official documentation.
This article describes how to issue, connect and change the SSL certificate.
Issuing a certificate on the platform server
This section describes how to issue a new certificate using the certbot utility. Use the instructions in this section if you need to create a certificate with automatic renewal and a private key on the platform server.
To issue a certificate, you will need the domain name assigned to the platform server in the DNS server. The same name must be specified in the platform configuration file /opt/ispsystem/dci/config.json, in the DomainName field.
To issue and upload a certificate:
Install certbot:
Ubuntu
apt install software-properties-common add-apt-repository ppa:certbot/certbot apt update apt install certbot
CODEAlmaLinux
dnf update dnf install epel-release dnf install certbot
CODEStop DCImanager 6 to allow the certbot utility to use the local HTTP server for certificate validation:
dci stop
CODE- Issue a certificate:
Run the certbot utility and pass it the domain name from the configuration file:
certbot certonly -d $(jq -r ".DomainName" /opt/ispsystem/dci/config.json)
CODEСonfirm that you own the specified domain name. The utility will offer you several confirmation options. Enter 1 to use a local server:
How would you like to authenticate with the ACME CA? ... Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
CODEIf you have a certificate with RSA type, certbot will prompt you to change its key type to ECDSA. We recommend changing the type as it will speed up the loading of the platform's web interface. Enter U to confirm the change:
An RSA certificate named dci6.example.com already exists. Do you want to update its key type to ECDSA? (U)pdate key type/(K)eep existing key type: U
CODEYou will receive a message indicating where the certificate and private key are stored. Example output for the domain name "dci6.example.com":
Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/dci6.example.com/fullchain.pem Key is saved at: /etc/letsencrypt/live/dci6.example.com/privkey.pem
CODE
Start DCImanager 6:
dci start
CODECreate a patch_add_ssl.yaml file. Sample file contents for the domain name "dci6.example.com":
version: "3.7" services: input: volumes: - /etc/letsencrypt/live/dci6.example.com/fullchain.pem:/etc/ssl/certs/default.domain.crt - /etc/letsencrypt/live/dci6.example.com/privkey.pem:/etc/ssl/private/default.domain.key
CODEApply the patch:
dci add-patch -f patch_add_ssl.yaml -p add_ssl
CODECertbot automatically reissues a certificate when it expires. You can test the auto-renewal operation with the command:
certbot renew --dry-run
CODE
Connecting an existing certificate
Follow the instructions in this section if you already have a certificate. You can connect an existing certificate during or after you install the platform.
Connecting a certificate when installing the platform
- Copy the certificate files to the server with DCImanager 6. For example, in the /root/ directory.
When installing the platform, specify the path to the files with the public and private key of the SSL certificate in the ssl-crt-file and ssl-key-file parameters:
Пример команды
./dci install --ssl-crt-file="/root/example.crt" --ssl-key-file="/root/example.key"
CODE
The certificate data will be added to the web server settings.
The certificate files will be copied to /opt/ispsystem/dci/ssl/. The files must be stored in this directory with the same names for the platform to work properly.
Connecting a certificate after installing the platform
Copy the certificate files to the server with DCImanager 6. For example, in the /root/ directory.
After connecting, the certificate files must remain in this directory with the same names.
- Connect to the DCImanager 6 server via SSH.
Create a patch_add_ssl.yaml file with the following contents:
version: "3.7" services: input: volumes: - /root/dci.crt:/etc/ssl/certs/default.domain.crt - /root/dci.key:/etc/ssl/private/default.domain.key
CODEComments/root/dci.crt — the path and name of the SSL certificate
/root/dci.key — the path and name of the SSL certificate key
You don't need to change /etc/ssl/certs/default.domain.crt and /etc/ssl/private/default.domain.key — these are paths to the certificate inside the docker container
Run the command:
dci add-patch -f patch_add_ssl.yaml -p add_ssl
CODESpecify the server domain name in the DomainName parameter of the /opt/ispsystem/dci/config.json configuration file:
Example of config.json file
{"MysqlRootPassword":"password","LicenseToken":"token","DomainName":"example.com","CurrentVersion":"6.14.0","UpdateDate":1616262495}
CODEStop DCImanager 6:
dci down
CODEStart DCImanager 6:
dci start
CODE
Certificate change
- Replace the old certificate files with the current ones. The new files must have the same names as the old files.
Stop DCImanager 6:
dci down
CODEStart DCImanager 6:
dci start
CODE