Using Let's Encrypt's Certbot Certificates with ArangoDB

OSS Support
,
1

Using Let’s Encrypt’s Certbot Certificates with ArangoDB

We use ArangoDB to store STIX intelligence. If you use some of our open-source tools, you likely do too.

I’ve recently started using our instances with Let’s Encrypt’s certificates.

Follow these steps to create and use an SSL certificate with ArangoDB.

1. Install the Certbot from LetsEncrypt (Certbot instructions)

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update

sudo apt-get install certbot

2. Generate the certificate

Run certbot and answer the prompted questions.

sudo certbot certonly

3. Create the certificate/key bundle required by ArangoDB

ArangoDB requires a single file containing the certificate chain as well as the private key.

cd /etc/letsencrypt/live/example.com  # replace example.com with your domain
cat fullchain.pem privkey.pem > server.pem

4. Grant access to user arangodb

Make sure the ArangoDB user (usually arangodb) can read the server.pem and fullchain.pem files.

chown -R arangodb:arangodb ./etc/letsencrypt/*  # depending on your system

5. Configure ArangoDB to use the certificate

vi /etc/arangodb3/arangod.conf

A. Add the endpoint to the [server] block

[server]
endpoint = ssl://example.com:8529

B. Create the [ssl] block before any other block

[ssl]
cafile = /etc/letsencrypt/live/example.com/fullchain.pem
keyfile = /etc/letsencrypt/live/example.com/server.pem

C. Save & close

6. Restart the server

service arangodb3 restart
service arangodb3 status  # make sure it's running

7. Set a cron job for auto renewal for the cert

Create the file /etc/letsencrypt/hooks.sh and paste in the following (replace example.com);

cat /etc/letsencrypt/live/example.com/fullchain.pem /etc/letsencrypt/live/example.com/privkey.pem > /etc/letsencrypt/live/example.com/server.pem
echo 'OK: www.example.org'
service arangodb3 restart
echo 'OK: arangodb3 restart'

Edit cronjobs:

vi /etc/crontab

Add job for renewal:

43 44   * * *   root    certbot renew

Related / sources: