search
Ctrlk

TLS / HTTPS

Enable TLS / HTTPS support

These settings are for configuring the TLS / HTTPS support for datarhei Core.

hashtag
Configuration

{
   "tls": {
      "address": ":8181",
      "enable": false,
      "auto": false,
      "mail": "[email protected]",
      "cert_file": "",
      "key_file": "",
   }
}

hashtag
address (string)

If TLS is enabled, the HTTPS server will listen on this address. The default address is :8181.

circle-info

The default :8181 will listen on all interfaces on port 8181. To use a specific interface, write additionally it's IP, e.g. 127.0.0.1:8181 to only listen on the loopback interface.

hashtag
enable (bool)

Set this value to true in order to enable TLS / HTTPS support. If enabled you have to either provide your own certificate (see cert_file and key_file) or enable automatic certificate from Let's Encrypt (see auto).

If TLS is enabled, a HTTP server listening on address will be additionally started. This server provides access to everything as the HTTPS server, additionally it will allow ACME http-1 challenges in case Let's Encrypt (auto) certificates are enabled.

By default this is set to false.

hashtag
auto (bool)

Enable automatic certificate generation from Let's Encrypt. This only works if enable is set to true and at least one public hostname is defined in host.name. All listed hostnames will be included in the certificate. All listed public hostnames is required to point to the host where datarhei Core is running on.

circle-exclamation

In order for Let's Encrypt to resolve the http-1 challenge, the HTTP server of the datarhei Core must be reachable on port 80. Either by setting address to :80 or by forwarding/mapping port 80 to the actual port the HTTP server is listening on.

The obtained certificates will be stored in the /cert subdirectory of db.dir to be available after a restart.

Any provided paths in cert_file and key_file will be ignored.

By default this is set to false.

hashtag
mail (string)

An email address that is required for Let's Encrypt in order to receive a certificate.

By default the email address [email protected] is used.

hashtag
cert_file (string)

If you bring your own certificate, provide the path to the certificate file in PEM format.

By default this is not set.

hashtag
key_file (string)

If you bring your own certificate, provide the path to the key file in PEM format

By default this is not set.

hashtag
Examples

hashtag
Let's Encrypt

If you want to use automatic certificates from Let's Encrypt, set tls.enable and tls.auto to true. and host.name has to be set to the domain name this host will be reachable. Otherwise the ACME http-1 challenge will not work.

hashtag
Self-Signed certificates

To create a self-signed certificate and key file pair, run this command and provide a reasonable value for the Common Name (CN). The CN is the fully qualified name of the host the instance is running on (e.g., localhost). You can also use an IP address or a wildcard name, e.g., *.example.com.

RSA SSL certificate

ECDSA SSL certificate

Call openssl ecparam -list_curves to see all available supported curves listed.

PreviousHostnameNextDatabase

Last updated

Was this helpful?