Configuring HTTPS for Apcera CE

This section describes how to configure HTTPS for your platform, which is supported in apcera-setup version 1.2.3 and later.

Using HTTPS is optional but recommended. If you want to use the App Token, you must enable HTTPS for your cluster.

Configuring HTTPS

During the apcera-setup config process, you are prompted to specify the mode of communications for your platform.

[ HTTPS Configuration ]
For HTTPS communication within the cluster a certificate is required. You can provide your own certificate or have the Apcera Platform generate a self-signed certificate.
[0] Have the Apcera Platform generate a self-signed certificate
[1] Provide my own certificate
[2] Do not use a certificate (only insecure HTTP communication is available within the cluster)
Enter your selection [0]:
Please add and trust the HTTPS certificate at "certs/cert.crt".
See http://docs.apcera.com/setup/apcera-setup-certs/ for more details.
Have you added/trusted the HTTPS certificate? [Y/n]

You have three configuration options:

If you choose to enable HTTPS (options 0 or 1), when the deployment process completes you are prompted to trust the SSL certificate.

Here you have two trust options:

  • Trust the certificate by completing the cert trust procedure for your OS, and then enter Y at the prompt to complete the HTTPS configuration process.
  • Not trust the certificate by choosing "No" three times at the prompt. In this case the apcera-setup process will complete with the untrusted certificate in place.

Use self-signed cert

Select option 0 (default) to configure HTTPS using a self-signed SSL certificate.

The apcera-setup tool generates the self-signed HTTPS certificate /apcera-setup/certs/cert.crt and private key /apcera-setup/certs/cert.key.

If you are updating your cluster and already have a certificate that is trusted, choose option 1 and specify the following:

  • Path to your HTTPS certificate: \apcera-setup\certs\cert.crt
  • Path to your HTTPS certificate private key: \apcera-setup\certs\cert.key

Provide your own cert

Select option 1 to configure HTTPS and provide your own SSL certificate.

To provide your own certificate you need to use a certificate authority (CA) that supports wildcard certficates, such as DigiCert or Network Solutions. Note that you cannot use Let's Encrypt because at this time this CA does not support wildcard certificates.

Not using HTTPS

Select option 2 to not use HTTPS. In this case your cluster uses insecure HTTP communication both from the APC client and from the web console.

Trusting the certificate

To trust the cert, you do so for your browser to access the web console and for the APC command line client to interface with the cluster.

  • To trust the cert for the web console, open the web console in a browser and accept the cert. The procedure depends on the browser.
  • To trust the cert for APC, download the cert and add it to your local trust store. See the instructions for your environment: Mac, Linux, Windows.

Trusting the cert for Firefox

If you are using the self-signed certificate and you are using Mozilla Firefox browser, you must trust the cert using Firefox.

To trust the cert for Firefox, visit each of the following URLs and manually add the exception for each:

  • https://api.<subdomain>.apcera-platform.io
  • https://auth.<subdomain>.apcera-platform.io
  • https://basicauth.<subdomain>.apcera-platform.io
  • https://gauth.<subdomain>.apcera-platform.io
  • https://<subdomain>.apcera-platform.io
  • https://console.<subdomain>.apcera-platform.io

To verify, visit https://console.<subdomain>.apcera-platform.io and check that the web console appears and you can log in.

Trusting the cert on Mac

1) Locate the certificate file cert.crt using the Finder utility.

When you choose to use a self-signed cert, it is downloaded to your local directory at /apcera-setup/certs/cert.crt. If you did not create the apcera-setup working directory, the file path is $PWD/certs/cert.crt.

2) Right click the cert.crt file and open it using the Keychain Access app.

screenshot

If opening the cert with the Keychain Access app fails with the error "cannot update system roots," to open the cert: launch the Keychain Access app and login, then select File..Import Items.

3) Locate the imported file in Keychain Access app.

Select Keychains > login and Category > Certificates to locate the certificate. It will have a red icon indicating it is not yet trusted.

If you cannot find the certificate, check the Keychains > System and Category > Certificates directory.

screenshot

4) Double-click the certificate. In the dialog that opens, click the arrow to expand the Trust section.

screenshot

5) Set the option "When using this certificate" to "Always Trust".

screenshot

6) Provide your password and click Update Settings.

When you close the open dialog you are prompted to "provide your password."

screenshot

7) Verify in the Keychain Access app that the certificate is now trusted.

screenshot

8) Close the Keychain Access app.

9) Return to the apcera-setup process and press enter at the prompt:

Have you added/trusted the HTTPS certificate? [Y/n]

Trusting the cert on Windows

The following stesp are applicable to Windows 10.

1) On the Windows 10 computer, start the Microsoft Management Console (MMC) by running mmc.exe in a command prompt window.

2) In the Console Root interface, select the menu option File > Add/Remove Snap-in.

3) From the list of Available snap-ins, select Certificates and click Add >.

4) At the Certificates snap-in screen, select Computer account and click Next.

5) At the Select Computer screen, select the Local computer option and click Finish.

6) Back at the Add or Remove Snap-ins screen, click OK to close the dialog.

7) Expand the Console Root > Certificates (Local Computer) tree in the left column.

8) Select Trusted Root Certification Authorities in the left column and the Object Type Certificates in the middle column.

9) In the Actions column to the right, select Certificates > More Action > All Tasks > Import….

This lanuches the Certificate Import Wizard.

10) Click Next to continue.

11) Browse to and select the certificate to import.

If you are using the Apcera-provided self-signed cert, the certificate file path is \apcera-setup\certs\cert.crt.

12) Confirm the certficate file path and click Next.

13) Choose the option "Place all certificates in the Certificate store: Trusted Root Certificate Authorities."

14) Click Next and then click Finish.

15) You should receive the message from the Certificate Import Wizard that "The import was successful."

Once imported, the certificate is now trusted for all users of that computer.

16) To verify, select the Trusted Root Certification Authorities > Certificates folder in the column on the left.

You should see the newly imported certificate listed in the middle column.

17) Close the MMC interface once you have successfully imported the certificate. (You do not need to save the console.)

18) Return to the apcera-setup process and press enter at the prompt:

Have you added/trusted the HTTPS certificate? [Y/n]

Trusting the cert on Linux

1) Refer to the following article to trust the HTTPS certificate on Linux:

Ubuntu or Debian Linux:

http://blog.tkassembled.com/410/adding-a-certificate-authority-to-the-trusted-list-in-ubuntu/.

Amazon Linux, RedHat, and CoreOS:

Copy the cert.crt file to /etc/pki/ca-trust/source/anchors/ and run sudo update-ca-trust enable and sudo update-ca-trust extract. See http://stackoverflow.com/questions/22509271/import-self-signed-certificate-in-redhat.

2) Once you have trusted the cert, return to the apcera-setup process and press enter at the prompt:

Have you added/trusted the HTTPS certificate? [Y/n]