using Crossbar with Letsencrypt (ubuntu 16.04) - success

#1

TLDR; Using Ubuntu 16.04, I did the following:

  1. generated a certificate using letsencrypt
  2. mounted certificate directory into crossbar docker container
  3. configured crossbar to use TLS certificates
  4. tested secure websocket connection

Here is some more detail on how it worked …

  1. Create Certificate with Letsencrypt

apt install letsencrypt

Then create the certificate for this machine:

letsencrypt certonly --standalone -d <hostname.example.com>

Where hostname.domain.com is your server name. After this is successful, I have a directory with the following 2 files:

/etc/letsencrypt/live/<hostname.example.com>/privkey.pem
/etc/letsencrypt/live/<hostname.example.com>/fullchain.pem

Some of these paths are symbolic links, so in order to be able to chase all the symlinks from inside docker, we need to mount the entire /etc/letsencrypt root directory:

  1. mount certificate directory into crossbar docker container

When I create my docker container, I needed to mount the Ubuntu letsencrypt directory to the container:

docker create \

-v /home/dante/example/crossbar:/node \

*-v /etc/letsencrypt:/etc/letsencrypt *

-p 8080:8080 \

–name crossbar \

crossbario/crossbar

This way, the docker container will have /etc/letsencrypt mounted inside it and will be able to reference the *.pem files from our config.json file.

  1. Configure crossbar to use TLS certificates by adding the websocket transport configs like so:

“transports”: [

{

“id”: “anon8080”,

“type”: “websocket”,

“endpoint”: {

“type”: “tcp”,

“port”: 8080,

“tls”: {

“key”: “/etc/letsencrypt/live/<hostname.example.com>/privkey.pem”,

“certificate”: “/etc/letsencrypt/live/<hostname.example.com>/fullchain.pem”

}

},

“url”: “wss://<hostname.example.com>:8080”

}

I then restarted crossbar to use this new configuration and see that it does start TLS on port 8080:

… [Router 17] Loading server TLS key from /etc/letsencrypt/live/<hostname.example.com>/privkey.pem

… [Router 17] Loading server TLS certificate from /etc/letsencrypt/live/<hostname.example.com>/fullchain.pem

… [Router 17] Using secure default TLS ciphers

… [Router 17] No OpenSSL DH parameter file set - DH cipher modes will be deactive!

… [Router 17] OpenSSL is using elliptic curve prime256v1 (NIST P-256)

… [Router 17] WampWebSocketServerFactory (TLS) starting on 8080

… [Controller 1] Router ‘router’: transport ‘anon8080’ started

… [Controller 1] Local node configuration applied successfully!

  1. Tested WSS connection

In my sample client, I can now set the connection uri to:

var WS_URI = “wss://<hostname.example.com>:8080”;

And voila! Success …

– Dante

0 Likes

#2

Does anyone know what will happen if the certificates expire?

If I run:

letsencrypt renew

In the future and the certs are updated, do I need to restart crossbar for those new certs to take effect, or are the certs re-read for every new client connection?

Ideally, I’d be able to put the “letsencrypt renew” into crontab and just forget about it.

– Dante

0 Likes

#3

You may be able to test it using a self-signed certificate that expires in a short amount of time and then updating it?

···

On Thursday, 29 June 2017 21:15:23 UTC+2, Dante Lorenso wrote:

Does anyone know what will happen if the certificates expire?

If I run:

letsencrypt renew

In the future and the certs are updated, do I need to restart crossbar for those new certs to take effect, or are the certs re-read for every new client connection?

Ideally, I’d be able to put the “letsencrypt renew” into crontab and just forget about it.

– Dante

0 Likes

#4

Does anyone know what will happen if the certificates expire?

If I run:

letsencrypt renew

In the future and the certs are updated, do I need to restart crossbar for
those new certs to take effect, or are the certs re-read for every new
client connection?

You will have to restart Crossbar.io - I have just tested this on our demo instances to make sure.

I have filed a doc issue to document this behavior:

https://github.com/crossbario/crossbar/issues/1122

···

Am 29.06.2017 um 21:15 schrieb Dante Lorenso:

Ideally, I'd be able to put the "letsencrypt renew" into crontab and just
forget about it.

-- Dante

0 Likes