Installing LetsEncrypt SSL Certificate on Polarity Server

The following document walks through installing a LetsEncrypt SSL Certificate on the Polarity Server. Let's Encrypt is a free, automated, and open certificate authority. To be able to use a LetsEncrypt certificate, the Polarity Server must have:

1. A non-IP fully qualified domain name that is Internet routable (i.e., you must be able to reach your Polarity server from the open Internet and the FQDN cannot be an IP address)

2. Port 80 must be open when you are requesting the certificate from LetsEncrypt so they can validate ownership of the server.

LetsEncrypt is not a good solution for an SSL certificate if you need to IP whitelist your Polarity Server (e.g., block access using an AWS security group) or if your Polarity Server is on an internal network.

Ensure you have the RHEL/CentOS7 EPEL repo installed

yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

Install CertBot

sudo yum install certbot python2-certbot-nginx

Get a LetsEncrypt certificate

sudo certbot certonly --nginx

To be able to get a certificate you must have port 80 open. Be default, the Polarity Server will listen on port 80 and redirects traffic to port 443

You will be prompted for the FQDN of your Polarity server.

The certificate will be downloaded to /etc/letsencrypt/live/{{FQDN}}/fullchain.pem and the private key will be downloaded to /etc/letsencrypt/live/{{FQDN}}/privkey.pem

Change the permissions on the downloaded certificates so that the polarityd user is able to read them:

chmod -R 755 /etc/letsencrypt

Once the certificates are downloaded, update the Polarity nginx configuration to use the LetsEncrypt certificates instead of the default self-signed certificates. Open the nginx config file with a text editor:

vi /etc/nginx/conf.d/polarity.conf

Next, update ssl_certificate and ssl_certificate_key properties with the new certificate paths:

ssl_certificate /etc/letsencrypt/live/{{FQDN}}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{FQDN}}/privkey.pem;

Replace {{FQDN}} with the correct fully qualified domain name of your Polarity server

After saving the change to the nginx configuration, restart nginx:

systemctl restart nginx

Check to make sure nginx came back up successfully:

systemctl status nginx

After updating the nginx config, you will need to update the Polarity Server configuration to use the new certificates. Open the config file located at /app/polarity-server/config/config.js in a text editor.

vi /app/polarity-server/config/config.js

Find the settings rest.credentials.key and rest.credentials.certificate and update them with the correct key and certificate paths from LetsEncrypt:

"rest": {
   "credentials": {
      "enabled": true,
      "key": "/etc/letsencrypt/live/{{FDQN}}/privkey.pem",
      "certificate": "/etc/letsencrypt/live/{{FQDN}}/fullchain.pem"
   }
}

Save the file and then restart the Polarity Server

systemctl restart polarityd

Check to make sure all Polarity services are running:

/app/polarity-server/scripts/polarity-status.sh

Finally, setup automatic cert renewal of the certificate

echo "0 0,12 * * * root python -c 'import random; import time;\
time.sleep(random.random() * 3600)' && certbot renew -q" | \
sudo tee -a /etc/crontab > /dev/null