Skip to content

SSL for your Server

Jump to bottom
Florian Quirin edited this page Sep 25, 2019 · 19 revisions

Securing your server

To make your server available to the outside world you need a domain and a SSL certificate. Here you will find some ideas and support to get started. Also make sure that you have setup your network router with port-forwarding as described here: router port-forwarding.

SSL with DuckDNS and Let's Encrypt (currently Linux only)

The easiest way to secure your SEPIA-Home server is to obtain a free domain via the dynamic DNS service DuckDNS and get free SSL certificate from Let's Encrypt.
The Advantage of using DuckDNS is that you can do a DNS challenge to prove your domain ownership to Let's Encrypt meaning that you don't have to setup any complicated access to your server from the outside world (technically you just add a TXT record to your DNS zone which can be done via the DuckDNS API).

1) Setup DuckDNS and get your Let's Encrypt certificate

  • Get an account at https://www.duckdns.org/ (free, e.g. via GitHub account)
  • Define your domain (e.g. https://my-fancy-sepia-server.duckdns.org) in your DuckDNS settings
  • Write down the access token given by DuckDNS
  • Open your SEPIA-Home installation and start the setup script (setup.sh for Linux)
  • Choose: 'Setup dynamic DNS with DuckDNS' and enter your DuckDNS domain and access token
  • Open the ~/SEPIA/letsencrypt folder and start the run-certbot-duckdns.sh script
  • Enter a valid E-mail address to get important updates from Let's Encrypt (e.g. when to renew your certificate)
  • If you see no critical errors your own DuckDNS domain should point to your SEPIA-Home server now
  • Continue with step 2a if you use the SEPIA reverse-proxy or 2b if you use Nginx

2a) Setup the SEPIA reverse-proxy to use your SSL certificate

  • Run ~/SEPIA/letsencrypt/copy-cert-to-keystore.sh to convert the Let's Encrypt certificate to Java-compatible version
  • Make sure your proxy settings are pointing to the correct SSL files (see properties file of SEPIA-Proxy) and run the proxy with SSL support

2b) Setup Nginx to use your SSL certificate

  • Run ~/SEPIA/setup-nginx.sh
  • Check the config-file created during setup to make sure everything worked as advertised. The script should've restarted Nginx as well for you.

Finalize

  • Restart your SEPIA-Home server to activate the DuckDNS worker that will keep your domain in sync with your IP
  • Todo: set up correct Let's Encrypt renewal script (e.g. via cronjob)

If you use the default proxy settings set by SEPIA your server should be available via one of the following links:

https://[my-duck-dns-domain]:20726/sepia/assist/app/index.html
host name for server:
https://[my-duck-dns-domain]:20726/sepia

or (if all your SSL traffic on port 443 is redirected):

https://[my-duck-dns-domain]/sepia/assist/app/index.html
host name for server:
https://[my-duck-dns-domain]/sepia

Done :-)

Clone this wiki locally