For those using stix2arango, arango_taxii_server, or arango_cti_processor on the community version of ArangoDB, here’s how to install free Lets Encrypt certs…
1. Install the Certbot from LetsEncrypt (Certbot instructions)
sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot
2. Generate the certificate
Run certbot and answer the prompted questions.
sudo certbot certonly
3. Create the certificate/key bundle required by ArangoDB
ArangoDB requires a single file containing the certificate chain as well as the private key.
cd /etc/letsencrypt/live/example.com # replace example.com with your domain
cat fullchain.pem privkey.pem > server.pem
4. Grant access to user arangodb
Make sure the ArangoDB user (usually arangodb) can read the server.pem and fullchain.pem files.
chown -R arangodb:arangodb ./etc/letsencrypt/* # depending on your system
5. Configure ArangoDB to use the certificate
vi /etc/arangodb3/arangod.conf
A. Add the endpoint to the [server] block
[server]
endpoint = ssl://example.com:8529
B. Create the [ssl] block before any other block
[ssl]
cafile = /etc/letsencrypt/live/example.com/fullchain.pem
keyfile = /etc/letsencrypt/live/example.com/server.pem
C. Save & close
6. Restart the server
service arangodb3 restart
service arangodb3 status # make sure it's running
7. Set a cron job for auto renewal for the cert
Create the file /etc/letsencrypt/hooks.sh and paste in the following (replace example.com);
cat /etc/letsencrypt/live/example.com/fullchain.pem /etc/letsencrypt/live/example.com/privkey.pem > /etc/letsencrypt/live/example.com/server.pem
echo 'OK: www.example.org'
service arangodb3 restart
echo 'OK: arangodb3 restart'
Edit cronjobs:
vi /etc/crontab
Add job for renewal:
43 44 * * * root certbot renew
Related / sources:
- Certbot instructions
- StackOverflow: ArangoDB working together with letsenrcypt certificates
- StackOverflow: Arangod.conf for SSL