0

I can't seem to get the https proxy for my Realm Object Server running. I've followed every step in the docs, which include editing the configuration.yml file to change:

proxy.https.enable: true  
proxy.https.listen_address: ::  
proxy.https.listen_port: 9443  
proxy.https.certificate_path: 'cert_path'
proxy.https.private_key_path: 'private_key_path'

When I visit http://example.com:9080 it's fine, but visiting https://example.com:9443 doesn't work - I've verified the paths are correct, and the cert/private key combination is valid.

Any help configuring this would be much appreciated, as I'm trying to get the app in conformance with Apple's ATS requirements!

Charles Wong
  • 209
  • 1
  • 4
  • 9

1 Answers1

7

The Realm Object Server is started by the "realm" user, you should check that the user has permissions to access the certificates.

Here is a list of instructions for setting up https with letsencrypt! on Ubuntu 16.04, maybe it helps identify your issue:

  1. Install ROS, letsencrypt and generate certs

curl -s https://packagecloud.io/install/repositories/realm/realm/script.deb.sh | sudo bash

apt-get install realm-object-server-developer
apt-get install letsencrypt

letsencrypt certonly --standalone -d ${mydomain.com}

# set up permissions for the realm user on /etc/letsencrypt.
sudo groupadd ssl
sudo usermod -a -G ssl realm
sudo chgrp -R ssl /etc/letsencrypt
sudo chmod -R g=rX /etc/letsencrypt
  1. Edit the config to enable ssl in the "proxy" section

Section in /etc/realm/configuration.yml:

  https:
    ## Whether or not to enable the HTTPS proxy module. It enables multiplexing requests
    ## by forwarding incoming requests on a single port to all services.
    ## Note that even if it enabled, the HTTPS proxy will only start if supplied
    ## with a valid pair of certificates through certificate_path and private_key_path below.
    enable: true

    ## The path to the certificate and private keys (in PEM format) that will be used
    ## to set up the HTTPS server accepting connections.
    ## These configuration options are MANDATORY to start the HTTPS proxy module.
    certificate_path: '/etc/letsencrypt/live/${mydomain.com}/cert.pem'
    private_key_path: '/etc/letsencrypt/live/${mydomain.com}/privkey.pem'

    ## The address/interface on which the HTTPS proxy module should listen. This defaults
    ## to 127.0.0.1. If you wish to listen on all available interfaces,
    ## uncomment the following line.
    listen_address: '::'

    ## The port that the HTTPS proxy module should bind to.
    # listen_port: 9443

  1. Connect to the dashboard and create an account. ( Go to https://${mydomain.com}:9443 )

  2. Go to the browser and choose "Connect to Object Server" Enter realms://${mydomain.com}:9443 as Server Url and the username and password you just created. You should see a list of realms.

Radu Tutueanu
  • 106
  • 2
  • You are "The Man". Thanks for this. I've had a similar question out (http://stackoverflow.com/questions/43034647/realm-object-server-ssl-configuration-causes-ros-to-fail-start) and was really failing. The solution was permissions. I never even considered that. Thanks for the tip. – Ian Bradbury Mar 27 '17 at 22:08
  • I didn't consider permissions at all as well. Thanks so much! – Charles Wong Mar 29 '17 at 15:41
  • This tutorial was excellent. Realm should put this on their website somewhere. Thank you! :) – Clifton Labrum May 31 '17 at 23:27
  • I recommend setting up Certbot to automate the renewal of your LetsEncrypt SSL certificates: https://certbot.eff.org – Clifton Labrum May 31 '17 at 23:37