Configuring HTTPS
GGCE API and Web application traffic need to be secured with SSL certificates and endpoints only accessible through https. The following steps are involved in enabling https:
- Register GGCE domain names in the DNS
- Generate a new SSL private key and a Certificate Signing Request (CSR)
- On Windows you can use IIS to generate and sign certificates and skip the remaining steps!
- Submit the CSR to a Certificate Authority for signature
- Apply signed certificate and private key to GGCE
DNS names
GGCE requires two names to be registered in your organization's DNS: one for the GGCE web interface and one for the API server.
First, pick a name where users will access the web interface. Here are some suggestions, assuming that the internal network domain is internal.lan
:
- ggce.genebank
.internal.lan
- ggce
.internal.lan
- pick-your-own
.internal.lan
The name for the API server can be one of:
- ggce-api.genebank
.internal.lan
- ggce-api
.internal.lan
- pick-your-own-api
.internal.lan
Ask your network administrator to add the two DNS entries to the DHCP/DNS as CNAME records pointing to your Docker host.
Generate a Certificate Signing Request
Use the configuration template ggce-ssl.conf
shown below to specify the advanced configuration of the GGCE certificate. Update the configuration according to your needs.
[req]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[req_distinguished_name]
C = DE
O = Crop Trust
OU = Genebank
CN = GGCE
DC = lan
0.DC = internal
[req_ext]
keyUsage = digitalSignature
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = ggce.internal.lan
DNS.2 = ggce-api.internal.lan
Create a new private key in ggce.key
and a CSR ggce.req
to be submitted to the Certificate Authority for signature:
openssl req -out ggce.req -keyout ggce.key -newkey rsa:2048 -nodes -sha256 -config ggce-ssl.conf
OpenSSL is installed on Linux and Mac systems and is available for Windows. It provides the openssl
command.
Sign the CSR
The Domain Controller DC
on your network usually provides Certificate Services and a CA certificate that is trusted by all computers in the domain.
Certificate not issued (Denied) Denied by Policy Module The permissions on the certificate template do not allow the current user to enroll for this type of certificate.
cmd.exe
needs to be "Run as..." a user with Domain Administrator privileges.
Send the ggce.req
file to your Domain Administrator. They will sign the CSR by running the following command in cmd.exe
:
certreq -submit -attrib "CertificateTemplate:WebServer" ggce.req ggce.pem
This command will prompt the Domain Administrator to select the signing CA and will save the signed certificate as ggce.pem
. The Administrator should send this file back and it needs to be added to the traefik/
subfolder.
Alternatives
If you do not have a CA available for your domain, you can use a self-signed CA. Contact support+ssl@ggce.genesys-pgr.org for assistance.