Configuring HTTPS for Unravel (Transport Layer Security, TLS)
You must do the following to configure HTTPS for Unravel:
Check and fulfill the prerequisites.
Important
Before you configure HTTPS for Unravel, ensure that you have the server certificate, key, and any intermediate certificate that is needed to validate the trust chain.
If the root certificate is not from a known certificate authority, it will have to be manually trusted.
Prerequisites
You must have the following handy. Ensure that these files are available on Unravel server.
Server certificate
Key for the server certificate and its password, if it is encrypted.
Any intermediate certificate that is required to complete the trust chain.
The following certificate formats are supported:
PEM (.pem)
JKS (.jks)
PKCS12 (pkcs12, .p12, .pfx)
Enable TLS for Unravel
Stop Unravel.
<unravel_installation_directory>/unravel/manager stop
Configure the key and certificate.
<unravel_installation_directory>/unravel/manager config tls set
/path/to/key.pem
/path/to/certificate.pem
/path/to/intermediate.pem
--key-password<password>
Note
The command accepts the following file formats and relies on the extension to identify the format:
PEM (.pem)
JKS (.jks)
PKCS12 (pkcs12, .p12, .pfx)
If you are using a different file extension, you must specify the file as follows:
--pem
<filename>
--jks
<filename>
--pkcs12
<filename>
Enable TLS.
<unravel_installation_directory>/unravel/manager config tls enable
Apply the configuration.
<unravel_installation_directory>/unravel/manager config apply
Verify the TLS configuration:
<unravel_installation_directory>/unravel/manager verify tls
Following are some error messages that you can get when you run verify tls command:
Error shown for missing intermediate certificate
Errors: - [20, 0, 'unable to get local issuer certificate'] Can't find issuer: /C=US/ST=California/O=Unravel/OU=Engineering/CN=TEST-INTERMEDIATE-CA
Error shown for unknown root certificate that needs to be trusted:
Errors: - [19, 2, 'self signed certificate in certificate chain'] Untrusted root certificate: /C=US/ST=California/O=Unravel/OU=Engineering/L=San Francisco/CN=TEST-ROOT-CA
Any errors related to the key and server certificate validity should be resolved with the config tls set command.
Any errors related to finding the issuer of a certificate:
You can resolve the error for an intermediate certificate by passing the needed certificate to config tls set.
You can resolve the error for a root certificate by trusting the root certificate. See Truststore certificates.
Start Unravel.
<unravel_installation_directory>/unravel/manager start
You must have the following files handy. Ensure that these files are available on Unravel server.
SERVER.pem
: The server certificateKEY.pem
: The key for the server certificateINTERMEDIATE.pem
: Optionally, the trust chain for the server certificate (You can merge this with the server certificate).
/opt/unravel/manager stop /opt/unravel/manager config tls set /path/to/KEY.pem /path/to/SERVER.pem /path/to/INTERMEDIATE.pem –key-password the-password /opt/unravel/manager config tls enable /opt/unravel/manager config apply /opt/manager verify tls /opt/unravel/manager start
Disable TLS for Unravel
Stop Unravel.
<unravel_installation_directory>/unravel/manager stop
Disable TLS.
<unravel_installation_directory>/unravel/manager config tls disable
Apply the configuration.
<unravel_installation_directory>/unravel/manager config apply
Start Unravel.
<unravel_installation_directory>/unravel/manager start
Also, see: