Skip to content

Basic setup

HTTPS Deployment

For deployment of the IXP with SSL certificates generated via Certbot by Let's Encrypt, download the latest https compose preset folder here.

After downloading the preset, unzip it, set the unzipped folder as your working directory, and follow the instructions below.

Certificate Generation

The certificates can be generated using the cert_script.sh script, which automates the process. The script will:

  1. generate or renew the SSL certificates for the specified domain
  2. and reload the Nginx configuration to apply the new certificates (if running).

Usage

  1. Ensure the script is executable:

    chmod +x ./cert_script.sh

  2. Invoke the script as follows, substituting the placeholders for their respective values:

    ./cert_script.sh <email-address> <domain>

    Example:

    ./cert_script.sh admin@inject.fi.muni.cz inject.fi.muni.cz

Notes:

  • By executing this script, you agree to Certbot's Terms of Service and Privacy Policy. Your email will be used for essential communication, such as expiration notices.

(Optional) Automatic Certificate Renewal

To ensure that your certificates are renewed automatically before they expire, you can set up a cron job to run the cert_script.sh script periodically.

Setting Up the Cron Job

  1. Open the crontab editor:

    crontab -e

  2. Add the following line to schedule the script to run on the 1st day of every month at midnight. Don't forget to substitute the placeholders for their respective values:

    0 0 1 * * cd <project-root> && ./cert_script.sh <email-address> <domain> >> ./cert_renewal.log 2>&1

    Example:

    0 0 1 * * cd /home/inject/https && ./cert_script.sh admin@inject.fi.muni.cz inject.fi.muni.cz >> ./cert_renewal.log 2>&1

    If you want to be notified via email when the renewal process fails, you can modify the cronjob using a temporary log file:

    1. Make sure you have a working Postfix Service set up.

    2. Use the following cronjob, and add a MAILTO variable at the top of the crontab file to specify the recipient email address. The cron job will then send an email with the output of the script if it fails:

      MAILTO=<your-email-address>
0 0 1 * * cd <project-root> && ./cert_script.sh <email-address> <domain> > ./cert_renewal_tmp.log 2>&1 && cat ./cert_renewal_tmp.log >> ./cert_renewal.log || cat ./cert_renewal_tmp.log

      Example:

      MAILTO=admin@inject.fi.muni.cz
0 0 1 * * cd /home/inject/https && ./cert_script.sh admin@inject.fi.muni.cz inject.fi.muni.cz > ./cert_renewal_tmp.log 2>&1 && cat ./cert_renewal_tmp.log >> ./cert_renewal.log || cat ./cert_renewal_tmp.log

  3. Save and exit the crontab editor.

  4. Check the logs to verify the cron job is running as expected:

    cat ./cert_renewal.log

Rootless Docker

If you are using Rootless Docker, you'll have to pass the DOCKER_HOST variable to the script in the cron job. First, find the value of DOCKER_HOST by running the following command:

echo $DOCKER_HOST

Then, modify the cron job to include the DOCKER_HOST variable.

Without the email notification, the cron job would look like this:

0 0 1 * * cd <project-root> && DOCKER_HOST="<docker-host>" ./cert_script.sh <email-address> <domain> >> ./cert_renewal.log 2>&1

With the email notification, it would look like this:

MAILTO=<your-email-address>
0 0 1 * * cd <project-root> && DOCKER_HOST="<docker-host>" ./cert_script.sh <email-address> <domain> > ./cert_renewal_tmp.log 2>&1 && cat ./cert_renewal_tmp.log >> ./cert_renewal.log || cat ./cert_renewal_tmp.log

Next Steps

After adding the certificates, proceed with the installation as described in the installation guide.

← Installation overview HTTPS Owncert