In my lab, I used CentOS 7 for my Conjur OSS deployment.
This quick guide assumes you’ve completed the Conjur Quick-Start at https://www.conjur.org/get-started/quick-start. It also assumes you are in the conjur-quickstart directory.
In my lab, I use the public domain name oss.joegarcia.dev. Since it is a .dev TLD, I am forbidden to access it in Google Chrome due to required HSTS restrictions. The only way around this restriction is through valid SSL.
Let’s start by getting certbot:
sudo yum install epel-release -ysudo yum install certbot -ysudo certbot certonly --standalone
Answer certbot’s questions and provide the domain name your Conjur OSS solution is available on. For the http-challenge, you will need port 80 open for a few moments during this process.
Take note as to where certbot stores your SSL certificates. In my case, they were located at /etc/letsencrypt/live/oss.joegarcia.dev. In your case, it would be /etc/letsencrypt/live/domain.com where domain.com is the domain you provided to certbot when generating the SSL certificates.
In the following steps, replace domain.com with the domain name you provided to certbot previously:
sudo cat /etc/letsencrypt/live/domain.com/cert.pem > conf/tls/cert.pemsudo cat /etc/letsencrypt/live/domain.com/privkey.pem > conf/tls/privkey.pem
Next, we need to edit the docker-compose.yml file and update the local private key and certificate to the ones we just created:
nano docker-compose.yml
In the proxy: section, change:
- ./conf/tls/nginx.key:/etc/nginx/nginx.key:ro
- ./conf/tls/nginx.crt:/etc/nginx/nginx.crt:ro
To:
- ./conf/tls/privkey.pem:/etc/nginx/nginx.key:ro
- ./conf/tls/cert.pem:/etc/nginx/nginx.crt:ro
Finally, restart the proxy container so it takes the new changes:
docker-compose up -d
You can now browse to https://domain.com:8443 and you should have valid SSL via LetsEncrypt!
