Connecting the SSL certificate

To make the server with DCImanager 6 available via HTTPS protocol, you will need an SSL certificate. You can specify the certificate data when installing the platform or connect it later.  To purchase an SSL certificate, contact any certificate issuing service or issue a free Let's Encrypt certificate. Read more about Let's Encrypt in the official documentation.

This article describes how to issue, connect and change the SSL certificate.

Issuing a certificate on the platform server

This section describes how to issue a new certificate using the certbot utility. Use the instructions in this section if you need to create a certificate with automatic renewal and a private key on the platform server.

To issue a certificate, you will need the domain name assigned to the platform server in the DNS server. The same name must be specified in the platform configuration file /opt/ispsystem/dci/config.json, in the DomainName field.

To issue and upload a certificate:

1. Install certbot:

   Ubuntu

   apt install software-properties-common
   add-apt-repository ppa:certbot/certbot
   apt update
   apt install certbot

   CODE

   AlmaLinux

   dnf update
   dnf install epel-release
   dnf install certbot

   CODE

2. Stop DCImanager 6 to allow the certbot utility to use the local HTTP server for certificate validation:

   dci stop

   CODE
3. Issue a certificate:

   1. Run the certbot utility and pass it the domain name from the configuration file:

      certbot certonly -d $(jq -r ".DomainName" /opt/ispsystem/dci/config.json)

      CODE

   2. Сonfirm that you own the specified domain name. The utility will offer you several confirmation options. Enter 1 to use a local server:

      How would you like to authenticate with the ACME CA?
      ...
      Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

      CODE

   3. If you have a certificate with RSA type, certbot will prompt you to change its key type to ECDSA. We recommend changing the type as it will speed up the loading of the platform's web interface. Enter U to confirm the change:

      An RSA certificate named dci6.example.com already exists. Do you want to update its
      key type to ECDSA?
      (U)pdate key type/(K)eep existing key type: U

      CODE

      You will receive a message indicating where the certificate and private key are stored. Example output for the domain name "dci6.example.com":

      Successfully received certificate.
      Certificate is saved at: /etc/letsencrypt/live/dci6.example.com/fullchain.pem
      Key is saved at: /etc/letsencrypt/live/dci6.example.com/privkey.pem

      CODE

4. Start DCImanager 6:

   dci start

   CODE

5.  Create a patch_add_ssl.yaml file. Sample file contents for the domain name "dci6.example.com":

   version: "3.7"
   services:
     input:
       volumes:
         - /etc/letsencrypt/live/dci6.example.com/fullchain.pem:/etc/ssl/certs/default.domain.crt
         - /etc/letsencrypt/live/dci6.example.com/privkey.pem:/etc/ssl/private/default.domain.key

   CODE

6. Apply the patch:

   dci add-patch -f patch_add_ssl.yaml -p add_ssl

   CODE

7. Certbot automatically reissues a certificate when it expires. You can test the auto-renewal operation with the command:

   certbot renew --dry-run

   CODE

Connecting an existing certificate

Follow the instructions in this section if you already have a certificate. You can connect an existing certificate during or after you install the platform.

Connecting a certificate when installing the platform

1. Copy the certificate files to the server with DCImanager 6. For example, in the /root/ directory. 

2. When installing the platform, specify the path to the files with the public and private key of the SSL certificate in the ssl-crt-file and ssl-key-file parameters:

   Пример команды

   ./dci install --ssl-crt-file="/root/example.crt" --ssl-key-file="/root/example.key"

   CODE

The certificate data will be added to the web server settings.

The certificate files will be copied to /opt/ispsystem/dci/ssl/. The files must be stored in this directory with the same names for the platform to work properly.

Connecting a certificate after installing the platform

1. Copy the certificate files to the server with DCImanager 6. For example, in the /root/ directory. 

   

   After connecting, the certificate files must remain in this directory with the same names. 

2. Connect to the DCImanager 6 server via SSH.

3. Create a patch_add_ssl.yaml file with the following contents: 

   version: "3.7"
   services:
     input:
       volumes:
         - /root/dci.crt:/etc/ssl/certs/default.domain.crt
         - /root/dci.key:/etc/ssl/private/default.domain.key

   CODE
    Comments

   /root/dci.crt — the path and name of the SSL certificate

   /root/dci.key — the path and name of the SSL certificate key

   

   You don't need to change /etc/ssl/certs/default.domain.crt and /etc/ssl/private/default.domain.key — these are paths to the certificate inside the docker container

4. Run the command: 

   dci add-patch -f patch_add_ssl.yaml -p add_ssl

   CODE

5. Specify the server domain name in the DomainName parameter of the /opt/ispsystem/dci/config.json configuration file:

   Example of config.json file

   {"MysqlRootPassword":"password","LicenseToken":"token","DomainName":"example.com","CurrentVersion":"6.14.0","UpdateDate":1616262495}

   CODE

6. Stop DCImanager 6:

   dci down

   CODE

7. Start DCImanager 6:

   dci start

   CODE

Certificate change

1. Replace the old certificate files with the current ones. The new files must have the same names as the old files.

2. Stop DCImanager 6:

   dci down

   CODE

3. Start DCImanager 6:

   dci start

   CODE

Useful tips

Related topics:

• Installation