# Installing LetsEncrypt SSL Certificate on Polarity Server The following document walks through installing a LetsEncrypt SSL Certificate on the Polarity Server. Let's Encrypt is a free, automated, and open certificate authority. To be able to use a LetsEncrypt certificate, the Polarity Server must have: 1. A non-IP fully qualified domain name that is Internet routable (i.e., you must be able to reach your Polarity server from the open Internet and the FQDN cannot be an IP address) 2. Port 80 must be open when you are requesting the certificate from LetsEncrypt so they can validate ownership of the server. LetsEncrypt is not a good solution for an SSL certificate if you need to IP whitelist your Polarity Server (e.g., block access using an AWS security group) or if your Polarity Server is on an internal network. Ensure you have the RHEL/CentOS7 EPEL repo installed ``` yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm ``` Install CertBot ``` sudo yum install certbot python2-certbot-nginx ``` Get a LetsEncrypt certificate ``` sudo certbot certonly --nginx ``` To be able to get a certificate you must have port 80 open. Be default, the Polarity Server will listen on port 80 and redirects traffic to port 443 You will be prompted for the FQDN of your Polarity server. The certificate will be downloaded to `/etc/letsencrypt/live/{{FQDN}}/fullchain.pem` and the private key will be downloaded to `/etc/letsencrypt/live/{{FQDN}}/privkey.pem` Change the permissions on the downloaded certificates so that the `polarityd` user is able to read them: ``` chmod -R 755 /etc/letsencrypt ``` Once the certificates are downloaded, update the Polarity nginx configuration to use the LetsEncrypt certificates instead of the default self-signed certificates. Open the nginx config file with a text editor: ``` vi /etc/nginx/conf.d/polarity.conf ``` Next, update `ssl_certificate` and `ssl_certificate_key` properties with the new certificate paths: ``` ssl_certificate /etc/letsencrypt/live/{{FQDN}}/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/{{FQDN}}/privkey.pem; ``` Replace `{{FQDN}}` with the correct fully qualified domain name of your Polarity server After saving the change to the nginx configuration, restart nginx: ``` systemctl restart nginx ``` Check to make sure nginx came back up successfully: ``` systemctl status nginx ``` After updating the nginx config, you will need to update the Polarity Server configuration to use the new certificates. Open the config file located at `/app/polarity-server/config/config.js` in a text editor. ``` vi /app/polarity-server/config/config.js ``` Find the settings `rest.credentials.key` and `rest.credentials.certificate` and update them with the correct key and certificate paths from LetsEncrypt: ``` "rest": { "credentials": { "enabled": true, "key": "/etc/letsencrypt/live/{{FDQN}}/privkey.pem", "certificate": "/etc/letsencrypt/live/{{FQDN}}/fullchain.pem" } } ``` Save the file and then restart the Polarity Server ``` systemctl restart polarityd ``` Check to make sure all Polarity services are running: ``` /app/polarity-server/scripts/polarity-status.sh ``` Finally, setup automatic cert renewal of the certificate ``` echo "0 0,12 * * * root python -c 'import random; import time;\ time.sleep(random.random() * 3600)' && certbot renew -q" | \ sudo tee -a /etc/crontab > /dev/null ```