SSL Certificates

Setting up a Let’s Encrypt SSL Certificate

Rasa Platform works very well together with a Let’s Encrypt SSL Certificate.

Requirements:

  • notification email address (used by Let’s Encrypt to notify about urgent renewal and security notices)
  • domain name for the installation (in this example we use rasa.example.com) - you will not be able to set up SSL with a bare IP address without DNS

Note

Changing the systems DNS entries will create downtime.

We will use certbot to generate the certificates. Run these instructions to install the tool on a Ubuntu machine (needs to be adapted for other linux distros):

  1. SSH into the machine
  2. run the following commands to install certbot:
$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install certbot

certbot offers multiple ways to obtain a certificate. Let’s pick the temporary webserver option since it doesn’t require any additional configuration. The only prerequisite though is that the Rasa Platform has to be stopped so that webserver can bind to port 443 properly. To stop the Platform, run:

$ sudo docker-compose down

Now, run the following to start the interactive process to obtain the SSL certificate:

$ sudo certbot certonly

It’ll first ask you to pick the authentication method:

How would you like to authenticate with the ACME CA?
-------------------------------------------------------------------------------
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

Here, pick 1 and press return.

Then, fill in the aforementioned email address:

Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): ops@example.com

Then, accept the Terms of Services and decide if you’d like to share your email address with the EFF:

-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A

-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: N

In the last step you’re providing your domain name:

Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): rasa.example.com

After that finished successfully, you’ll see a message similar to the one below:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/rasa.example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/rasa.example.com/privkey.pem
   Your cert will expire on 2018-02-07. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"

Your certificate has been generated and is now saved on the machine at /etc/letsencrypt/live/rasa.example.com/. Please run the following to copy them over to the appropriate directory so that the docker container can access them:

$ sudo cp /etc/letsencrypt/live/rasa.example.com/privkey.pem /etc/rasaplatform/certs/
$ sudo cp /etc/letsencrypt/live/rasa.example.com/fullchain.pem /etc/rasaplatform/certs/

After you have copied these files you can restart the Rasa Platform:

$ sudo docker-compose up -d

Let’s Encrypt certificates are short-lived, this means they expire after 90 days. This means that you’ll have to renew them on a regular basis. Thankfully this can be done with certbot as well. Run the following commands in order to renew your certificate.

Note

Be aware that the update process will also introduce downtime.

$ sudo docker-compose down
$ sudo certbot renew
$ sudo docker-compose up -d

In general: These certificate renewals should be automated with a cron job.