Document: Lets encrypt and CB in Docker

[oberstet]

From the mailing list:

TLDR; Using Ubuntu 16.04, I did the following:

1. generated a certificate using letsencrypt
2. mounted certificate directory into crossbar docker container
3. configured crossbar to use TLS certificates
4. tested secure websocket connection

Here is some more detail on how it worked ...

1) Create Certificate with Letsencrypt

apt install letsencrypt

Then create the certificate for this machine:

letsencrypt certonly --standalone -d

Where hostname.domain.com is your server name. After this is successful, I have a directory with the following 2 files:

/etc/letsencrypt/live//privkey.pem

/etc/letsencrypt/live//fullchain.pem

Some of these paths are symbolic links, so in order to be able to chase all the symlinks from inside docker, we need to mount the entire /etc/letsencrypt root directory:

2) mount certificate directory into crossbar docker container

When I create my docker container, I needed to mount the Ubuntu letsencrypt directory to the container:

docker create \ -v /home/dante/example/crossbar:/node \

• -v /etc/letsencrypt:/etc/letsencrypt * -p 8080:8080 \ --name crossbar \ crossbario/crossbar

This way, the docker container will have /etc/letsencrypt mounted inside it and will be able to reference the *.pem files from our config.json file.

3) Configure crossbar to use TLS certificates by adding the websocket transport configs like so:

        "transports": [
            {
                "id": "anon8080",
                "type": "websocket",
                "endpoint": {
                    "type": "tcp",
                    "port": 8080,
                    "tls": {
                        "key": "/etc/letsencrypt/live/

/privkey.pem", "certificate": "/etc/letsencrypt/live/ /fullchain.pem" } }, "url": "wss://:8080" } I then restarted crossbar to use this new configuration and see that it does start TLS on port 8080: ... [Router 17] Loading server TLS key from /etc/letsencrypt/live/ /privkey.pem ... [Router 17] Loading server TLS certificate from /etc/letsencrypt/live//fullchain.pem ... [Router 17] Using secure default TLS ciphers ... [Router 17] No OpenSSL DH parameter file set - DH cipher modes will be deactive! ... [Router 17] OpenSSL is using elliptic curve prime256v1 (NIST P-256) ... [Router 17] WampWebSocketServerFactory (TLS) starting on 8080 ... [Controller 1] Router 'router': transport 'anon8080' started ... [Controller 1] Local node configuration applied successfully! 4) Tested WSS connection In my sample client, I can now set the connection uri to: var WS_URI = "wss://:8080"; And voila! Success ... -- Dante -- You received this message because you are subscribed to the Google Groups "Crossbar" group. To unsubscribe from this group and stop receiving emails from it, send an email to crossbario+unsubscribe@googlegroups.com. To post to this group, send email to crossbario@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/crossbario/dada8675-9b0c-4c6b-9736-2ca255c03c59%40googlegroups.com. For more options, visit https://groups.google.com/d/optout. --- Want to back this issue? **[Post a bounty on it!](https://www.bountysource.com/issues/46792484-document-lets-encrypt-and-cb-in-docker?utm_campaign=plugin&utm_content=tracker%2F462544&utm_medium=issues&utm_source=github)** We accept bounties via [Bountysource](https://www.bountysource.com/?utm_campaign=plugin&utm_content=tracker%2F462544&utm_medium=issues&utm_source=github).

[om26er]

Apart from the docs, it might be good to have a docker container that's TLS enabled. My main objective for that is to be able to easily test TLS support in our Autobahn libraries. I can probably cook that up, if we want.

[meejah]

Also, there is the built-in Twisted support for Let's Encrypt that provides the le: and lets: endpoint-strings. So right now you could get a Let's Encrypt listener by using the "twisted" listener types with an appropriate string. See e.g. https://github.com/twisted/txacme

(The above handles renewing the certificates too). The only real "con" to the above is that it must listen on 443 or it won't work (as the Let's Encrypt "phone home" thing will only use 443).

There's also https://github.com/glyph/txsni but I think the above is better.

[oberstet]

be able to easily test TLS support in our Autobahn libraries

Yeah, that would be useful!

For testing with a custom / self-signed cert, there is https://github.com/crossbario/crossbar-examples/tree/master/encryption/tls

However, for testing with a real world cert (eg Lets Encrypt), the tested Crossbar.io instance would need to sit on a public hostname.

FWIW, the canonical place to expand an example for Crossbar.io on Docker with TLS would be here https://github.com/crossbario/crossbar-starter/tree/master/crossbar

[juan11perez]

@oberstet thank you for the letsencrypt path tip. was trying to point into a homeassisntant docker and wouldn't work with the entire path. I changed to /etc/letsencrypt and worked.