SSL for Thinger.io snap server


#1

Hello All,

I have been trying to get SSL up and working on Thinger.io private server. I have been able to get my fullchain.pem and my privkey.pem using cert bot stand alone via ssh (thank you for that). My question is how do you convert pem files or change the config file for thinger.io. Below is a cut and paste from their config file that deals with ssl and its requirements.

Blockquote
"ssl" : {
“ssl_certificate” : “certificates/server.crt”,
“ssl_certificate_key” : “certificates/server.key”,
“tmp_dh_file” : “certificates/dh2048.pem”,
“ssl_ciphers” : "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA$
“ssl_prefer_server_ciphers” : true
},
“http_server” : {
“address” : “0.0.0.0”,
“port” : “80”,
“ssl_port” : “443”,
“hosts” : [
{
“host”: “*”,
“type”: “rest”,
“cors”: {
“enabled” : true
},
“web_fallback” : {
“enabled” : true,
“root”: “${SNAP}/console”
}
}
]
},

I have tried using renaming the keys in the certificates, I have tried changing the config file to call for the pem files. I am certain there is something significant I am missing any help or even a nudge in the right direction would be a huge help.

Thank you in Advance.
Andrew


#2

I suspect that ssl_certificate and ssl_certificate_key both accept PEM-encoded files, so you should be able to just use the paths to fullchain.pem and privkey.pem, respectively.

One thing I noticed, if you are running via Snap, as per the Thinger.io server deployment documentation, then Ubuntu’s AppArmor will prevent the process from reading your certificate and key from /etc/letsencrypt:

Dec 30 08:09:47 x1 audit[29433]: AVC apparmor="DENIED" operation="open" profile="snap.thinger-maker-server.thingerd" name="/etc/letsencrypt/archive/XXX/fullchain1.pem" pid=29433 comm="thingerd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0                                                         
Dec 30 08:09:47 x1 kernel: audit: type=1400 audit(1514581787.112:49): apparmor="DENIED" operation="open" profile="snap.thinger-maker-server.thingerd" name="/etc/letsencrypt/archive/XXX/fullchain1.pem" pid=29433 comm="thingerd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0                                                                                                                                  

You can either:

  • Copy the certificate and private key from /etc/letsencrypt to /var/snap/thinger-maker-server/common/certificates (and do that as part of the Certbot renewal hook), or
  • Adjust the AppArmor profile for Thinger to allow it to read from /etc/letsencrypt

You can adjust the AppArmor profile by modifying /var/lib/snapd/apparmor/profiles/snap.thinger-maker-server.thingerd, adding:

/etc/letsencrypt/archive/** r,

then reloading the profile:

sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.thinger-maker-server.thingerd
sudo service snap.thinger-maker-server.thingerd restart

#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.