TLS / HTTPS
Enable TLS / HTTPS support
These settings are for configuring the TLS / HTTPS support for datarhei Core.
Configuration
address (string)
If TLS is enabled, the HTTPS server will listen on this address. The default address is :8181
.
The default :8181
will listen on all interfaces on port 8181. To use a specific interface, write additionally it's IP, e.g. 127.0.0.1:8181
to only listen on the loopback interface.
enable (bool)
Set this value to true
in order to enable TLS / HTTPS support. If enabled you have to either provide your own certificate (see cert_file and key_file) or enable automatic certificate from Let's Encrypt (see auto).
If TLS is enabled, a HTTP server listening on address will be additionally started. This server provides access to everything as the HTTPS server, additionally it will allow ACME http-1 challenges in case Let's Encrypt (auto) certificates are enabled.
By default this is set to false
.
auto (bool)
Enable automatic certificate generation from Let's Encrypt. This only works if enable
is set to true
and at least one public hostname is defined in host.name. All listed hostnames will be included in the certificate. All listed public hostnames is required to point to the host where datarhei Core is running on.
In order for Let's Encrypt to resolve the http-1 challenge, the HTTP server of the datarhei Core must be reachable on port 80. Either by setting address to :80
or by forwarding/mapping port 80 to the actual port the HTTP server is listening on.
The obtained certificates will be stored in the /cert
subdirectory of db.dir to be available after a restart.
Any provided paths in cert_file
and key_file
will be ignored.
By default this is set to false
.
mail (string)
An email address that is required for Let's Encrypt in order to receive a certificate.
By default the email address cert@datarhei.com
is used.
cert_file (string)
If you bring your own certificate, provide the path to the certificate file in PEM format.
By default this is not set.
key_file (string)
If you bring your own certificate, provide the path to the key file in PEM format
By default this is not set.
Examples
Let's Encrypt
If you want to use automatic certificates from Let's Encrypt, set tls.enable and tls.auto to true
. and host.name has to be set to the domain name this host will be reachable. Otherwise the ACME http-1 challenge will not work.
Self-Signed certificates
To create a self-signed certificate and key file pair, run this command and provide a reasonable value for the Common Name (CN). The CN is the fully qualified name of the host the instance is running on (e.g., localhost
). You can also use an IP address or a wildcard name, e.g., *.example.com
.
RSA SSL certificate
ECDSA SSL certificate
Call openssl ecparam -list_curves
to see all available supported curves listed.
Last updated