Configure HTTPS/SSL

**this page in a work in progress**

This is an optional, but highly recommended, step that will keep your data secure when using MyCRT. Before getting started, ensure that you have already followed this guide and that you can access your MyCRT instance over http. The rest of this guide will assume you have an ssh session onto the EC2 instance.

This guide will use letsencrypt and certbot to obtain an SSL certificate.

1: Ensure MyCRT is serving static files

curl localhost:80/api/ping
# Should return OK

curl localhost:80/test.txt 
# Should return:
# this is a test
# this is a test again

2: Obtain a Domain

Register a domain with Route 53, create a hosted zone, and a record set that points your domain to your EC2 instance. This needs to be done in order to obtain an SSL certificate fom letsencrypt. The URL provided below cannot be a default EC2 instance domain name because letsencrypt black lists those domains.

You should now be able to access MyCRT at 

http://your.domain.com/

3: Prepare Your Site for The ACME Challenge

cd mycrt/service/static
mkdir -p .well-known/acme-challenge
echo "this is a test" > .well-known/acme-challenge/9001
curl http://your.domain.com/.well-known/acme-challenge/9001

# "this is a test" should print

4: Install Certbot

This can be done with 

sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot

5: Obtain SSL Certificate

cd mycrt/service

# use the publicly available domain
sudo certbot certonly --webroot -w ./static -d your.domain

Certbot will ask a series of questions, and then procede to challenge the domain. If it passes, it will output some information about where your certificates can be found. This will usually be in /etc/letsencrypt/live/<your_domain>.

Now, link the certificates to mycrt

cd mycrt/service
mkdir ssl
cd ssl

# The exact locations may vary depending on where your certs are
sudo ln -s /etc/letsencrypt/live/your.domain.com/fullchain.pem fullchain.pem
sudo ln -s /etc/letsencrypt/live/your.domain.com/privkey.pem privkey.pem

6: Modify MyCRT Settings

Change ssl in mycrt/service/mycrt.config.json to true

Restart MyCRT with 

sudo systemctl stop mycrt
sudo systemctl daemon-reload
sudo systemctl start mycrt

7: Modify EC2 Inbound Rules

Remove the HTTP inbound rules for your EC2 instance's security group.

Add HTTPS inbound rules for your EC2 instance's security group.

Verify these:

curl https://your.domain.com/test.txt

# should print:
# this is a test
# this is a test again

curl http://your.domain.com/test.txt

# should not be accessible

8: Access MyCRT through HTTPS

Now, open the MyCRT server with https as the protocol in place of http

https://your.domain.com/

Congratulations! Your MyCRT installation is now being served over HTTPS!

PreviousConfigure and Launch MyCRTNextMyCRT Configuration

Last updated