Please Note This forum exists for community support for the Mango product family and the Radix IoT Platform. Although Radix IoT employees participate in this forum from time to time, there is no guarantee of a response to anything posted here, nor can Radix IoT, LLC guarantee the accuracy of any information expressed or conveyed. Specific project questions from customers with active support contracts are asked to send requests to support@radixiot.com.

Radix IoT Website Mango 3 Documentation Website Mango 4 Documentation Website

Has anyone used "Let's Encrypt" for HTTPS - SSL? Any Suggestions?


  • Hello-

    Just curious if anyone has used a Let's Encrypt cert to support HTTPS vs. self signed? If so, did you use Certbot and a plugin? Any information you could provide regarding the process would be much appreciated.
    Thank you

    -mike


  • I have used it in the past, it was a fair while ago. Here's what I remember

    • Mango must be web accessible
    • You have to restart Mango after installing the new certificate
    • I think I used the older client, the predecessor to Certbot
    • I wrote a simple script (and ran it using cron) to create a Java compatible certificate and copy it to the right location

  • Thank you, Jared. I will give it a try. I originally used a self-signed cert per the instructions here https://help.infiniteautomation.com/installation-configuration/?rq=SSL#ssl-properties
    (I think there is a typo '-storepass changei')

    Then created a SymLink for ALPN in ext-enabled to ext-available. Documentation on this is pretty slim, or I am looking in the wrong spot.
    https://help.infiniteautomation.com/using-startup-extensions/?rq=ext

    HTTPS was working on 8443, but prevented HTTP Receiver from working. When setting ssl.on=false and logging in on port 8080 I unable to login and receive this error -
    An error occurred while logging in - Could not verify the provided CSRF token because your session was not found.

    Using another browser, I am able to login on 8080 without issue.

    1. Is that the correct way to enable an extension?
    2. Is there another step required to reset sessions on the server side?

    Thank you.


  • In my experience of using let's encrypt with a java based web platform. I utilised apache and a proxy to tie the two together. From the outside it looked like you were accessing via HTTPS 443 but internally it would connect to whatever port the system ran on. Saved a lot of fluffing with making a java compatible cert and meant you weren't fiddling with java options that could cause instability if configured incorrectly.


  • @wingnut2-0 said in Has anyone used "Let's Encrypt" for HTTPS - SSL? Any Suggestions?:

    An error occurred while logging in - Could not verify the provided CSRF token because your session was not found.
    Using another browser, I am able to login on 8080 without issue.

    This occurs because you logged in or tried to login using HTTPS then switched back to HTTP. When on HTTP the server tries to set a cookie for CSRF protection but can't as it can't overwrite the one set when using HTTPS. If you clear the cookies in the developer tools (Ctrl-Shift-I) you'll be fine.

    0_1501518162435_744df574-68cc-41e5-8bdf-a52319932604-image.png

    @wingnut2-0 said in Has anyone used "Let's Encrypt" for HTTPS - SSL? Any Suggestions?:

    Is that the correct way to enable an extension?

    Yes.


  • @mattfox said in Has anyone used "Let's Encrypt" for HTTPS - SSL? Any Suggestions?:

    In my experience of using let's encrypt with a java based web platform. I utilised apache and a proxy to tie the two together. From the outside it looked like you were accessing via HTTPS 443 but internally it would connect to whatever port the system ran on. Saved a lot of fluffing with making a java compatible cert and meant you weren't fiddling with java options that could cause instability if configured incorrectly.

    This is certainly an option and will make it easier to use Lets Encrypt as their client allows updating Apache's certificate automatically.


  • @mattfox Hi MattFox

    Could you please elaborate on what proxies you used, I'm hoping I can use Nginx to reverse proxy the HTTPS traffic to the mango web server. Is that by any chance what you did ? Any idea if i'm going in the right direction here ?


  • As I used Apache it will be different from nginx, you've got to allow proxy changes for both http and websockets. In my case it was mod_proxy,mod_proxy_http and mod_proxy_wstunnel. You use the normal ports as the web service acts at the SSL handler on mango's behalf. I chose this route because it meant I could run web based services and mango on the same server.


  • So does HTTP Receiver still works after enabling SSL setting in https://help.infiniteautomation.com/installation-configuration/?rq=SSL#ssl-properties?

    Is it possible to setup HTTP Receiver to receive encrypted HTTP POST?


  • Hi ricardo,

    Yes the HTTP receiver still works through https

    I just tested a Mango running with a selfsigned certificate and I was able to get values into my JSON receiver point with identifier /key by both

    #HttpPost.txt
    POST /httpds HTTP/1.1
    User-Agent: Mango M2M2 HTTP Sender publisher
    Content-Length: 15
    Content-Type: application/json
    Host: localhost:8088
    Connection: Keep-Alive
    
    {"key":"value"}
    
    

    nc 127.0.0.1 8080 < HttPost.txt

    and via curl to the SSL port,

    curl -v -k -H "Content-Type: application/json" -d "{\"key\":\"value2\"}" https://127.0.0.1:8443/httpds
    

    Note that I'm using 127.0.0.1 instead of localhost, which can resolve to ::1 which doesn't pass the whitelist check. Whitelisting for IPv6 addresses was added to Mango 3.5 but the entry *:*:*:*:*:*:*:* is not present by default yet.