Server Certificates with LetsEncrypt
Set up Bondix SANE Server with LetsEncrypt
To use a LetsEncrypt certificate with Bondix, you'll first need a (sub)domain that points towards your server's IP.
First, make sure that LetsEncrypt certbot is installed. To do this on Ubuntu or other debian based systems, do this:
sudo apt install certbot
Afterwards, run certbot with the argument "certonly". Cerbot will ask you how it should authenticate, and we are going to select the method of using a temporary webserver ("standalone"). There are a few follow-up questions that need to be answered, until it will eventually ask for the domain name that you would like a certificate for:
~# certbot certonly Saving debug log to /var/log/letsencrypt/letsencrypt.log How would you like to authenticate with the ACME CA? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: Spin up a temporary webserver (standalone) 2: Place files in webroot directory (webroot) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1 Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): your@email.here - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must agree in order to register with the ACME server. Do you agree? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: n Account registered. Please enter the domain name(s) you would like on your certificate (comma and/or space separated) (Enter 'c' to cancel): your.domain.name Requesting a certificate for your.domain.name Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/your.domain.name/fullchain.pem Key is saved at: /etc/letsencrypt/live/your.domain.name/privkey.pem This certificate expires on 20xx-xx-xx. These files will be updated when the certificate renews. Certbot has set up a scheduled task to automatically renew this certificate in the background. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - If you like Certbot, please consider supporting our work by: * Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate * Donating to EFF: https://eff.org/donate-le - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Parts that need your user interaction is in bold, while text that will differ in your scenario is in italics)
We now have a certificate and keyfile. In order to tell Bondix S.A.NE server to use these certificates, we must edit the file /etc/saneserver.json
In that file, we are looking for a line that looks like this:
{"target": "server", "action": "add-https", "host": "0.0.0.0", "port": "443", "allowMonitor": true},
We will extend this line to point towards the certificate & keyfile, like this:
{"target": "server", "action": "add-https", "host": "0.0.0.0", "port": "443", "allowMonitor": true,
"cert": "/etc/letsencrypt/live/your.domain.name/fullchain.pem",
"key": "/etc/letsencrypt/live/your.domain.name/privkey.pem"},
Make sure that you are using valid JSON. Finally, restart the server via:
sudo systemctl restart bondix
Finally, test that you can reach your server under https://your.domain.name
