Configure HTTPS/SSL
**this page in a work in progress**
This is an optional, but highly recommended, step that will keep your data secure when using MyCRT. Before getting started, ensure that you have already followed this guide and that you can access your MyCRT instance over http. The rest of this guide will assume you have an ssh session onto the EC2 instance.
This guide will use letsencrypt and certbot to obtain an SSL certificate.
1: Ensure MyCRT is serving static files
curl localhost:80/api/ping
# Should return OK
curl localhost:80/test.txt
# Should return:
# this is a test
# this is a test again
2: Obtain a Domain
Register a domain with Route 53, create a hosted zone, and a record set that points your domain to your EC2 instance. This needs to be done in order to obtain an SSL certificate fom letsencrypt. The URL provided below cannot be a default EC2 instance domain name because letsencrypt black lists those domains.
You should now be able to access MyCRT at
http://your.domain.com/
3: Prepare Your Site for The ACME Challenge
cd mycrt/service/static
mkdir -p .well-known/acme-challenge
echo "this is a test" > .well-known/acme-challenge/9001
curl http://your.domain.com/.well-known/acme-challenge/9001
# "this is a test" should print
4: Install Certbot
This can be done with
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot
5: Obtain SSL Certificate
cd mycrt/service
# use the publicly available domain
sudo certbot certonly --webroot -w ./static -d your.domain
Certbot will ask a series of questions, and then procede to challenge the domain. If it passes, it will output some information about where your certificates can be found. This will usually be in /etc/letsencrypt/live/<your_domain>.
Now, link the certificates to mycrt
cd mycrt/service
mkdir ssl
cd ssl
# The exact locations may vary depending on where your certs are
sudo ln -s /etc/letsencrypt/live/your.domain.com/fullchain.pem fullchain.pem
sudo ln -s /etc/letsencrypt/live/your.domain.com/privkey.pem privkey.pem
6: Modify MyCRT Settings
Change ssl
in mycrt/service/mycrt.config.json
to true
Restart MyCRT with
sudo systemctl stop mycrt
sudo systemctl daemon-reload
sudo systemctl start mycrt
7: Modify EC2 Inbound Rules
Remove the HTTP inbound rules for your EC2 instance's security group.
Add HTTPS inbound rules for your EC2 instance's security group.
Verify these:
curl https://your.domain.com/test.txt
# should print:
# this is a test
# this is a test again
curl http://your.domain.com/test.txt
# should not be accessible
8: Access MyCRT through HTTPS
Now, open the MyCRT server with https as the protocol in place of http
https://your.domain.com/
Congratulations! Your MyCRT installation is now being served over HTTPS!
Last updated