Skip to content

Latest commit

 

History

History
45 lines (36 loc) · 2.48 KB

SSL.md

File metadata and controls

45 lines (36 loc) · 2.48 KB
Raw

Enabling SSL for the web configuration pages requires some setup work. You will need either a valid SSL certificate and its corresponding private key, or a self-signed certificate. StilleBot can automatically generate a self-signed cert, but a new one will be created each time the bot is restarted, making it inadvisable and inconvenient. Instead, create a certificate externally, and have StilleBot make use of it.

If you do not already own a valid certificate, one option is LetsEncrypt, which can generate browser-supported certs fairly conveniently. However, you may need to reformat the private key:

openssl rsa -in ....../privkey.pem >..../privkey.pem

(With openssl 3, add the -traditional parameter.)

The "fullchain" certificate from LetsEncrypt is directly usable. If you obtain a certificate that comes with a separate authority chain (GoDaddy is known to do this), simply concatenate the two files.

Store the private key in privkey.pem and the cert(s) in certificate.pem. Note that protecting your private key is important. StilleBot is entirely okay with these files being symlinks or named pipes or other non-normal files.

Configure the server's externally-accessible address and port in "Authenticate Manually", specifying https:// to enable encryption. To have StilleBot listen on a different port, specify that in the listen port - not normally necessary, but can allow fancy tricks like redirecting to different port numbers in NAT. By default, StilleBot will listen on all available addresses (IPv4 and IPv6); if this causes problems, explicitly select a listening address such as "0.0.0.0:6789" (any IPv4 address, no IPv6) or "192.168.1.1:443" (specific address - any other address won't be responsive). If encryption is handled externally to StilleBot, specifying a listen address of http://[ip:]port will cause all external addresses to still include the https protocol, but the bot will not look for certificates/private keys and will not attempt to encrypt its traffic.

Note that the server can use up to two certificates, certificate.pem and certificate_local.pem. The intention is, if the server is sharded, the main cert is shared among all shards, but the secondary is not. If the bot is not sharded, use a single cert for simplicity. It's fine for either or both of these certificates to have multiple domains, eg:

certbot certonly -d stillebot.com,stillebot.rosuav.com,mustardmine.com --standalone --key-type rsa

and the bot will correctly select a certificate accordingly.