5

Is there anyoune out there who got a running arangoDB database working with a letsencrypt certificate? I just can't find out to geht this running.

ArangoDB is running on a digitalOcean droplet and I could get it running togehter with a self-signed certificate following this tutorial. So arangoDB is sucessfully running on port: 8530

Now my approach was replacing the self-signed certificate with a letsencrypt cert.

So I added a subdomain in DigitalOcean to the droplet. e.g.: db.example.com an then generated the cert-files:

sudo -H ./letsencrypt-auto certonly --standalone -d db.example.com

You will end up with 4 files: cert.pem chain.pem fullchain.pem privkey.pem

As I understood, these files are:

Private Key --------> privkey.pem
Public Key ---------> cert.pem
Certificate Chain --> chain.pem

As described in the tutorial I mentioned, you nee the certificate and the key in one file. So i did

cat chain.pem privkey.pem | sudo tee server.pem

to have a file containing the certificate and the private key.

Then I modified the file /etc/arangodb3/arangod.conf to let arango know where the keyfile is and modified the ssl section:

[ssl]
keyfile = /etc/letsencrypt/live/db.example.com/server.pem

But after restarting arango, the server is not available. When trying to connect the browser to: https://db.example.com:8530. Firewall settings for the droplet should all be ok, because I could access this address with the self-signed cetificate before.

I then tried to modify the endpoint in /etc/arangodb3/arangod.conf from

endpoint = ssl://0.0.0.0:8530

to

endpoint = ssl://db.example.com:8530

and also

tcp://db.example.com:8530

None of it was working. Has somebody out there an idea what I am doing wrong?

Christoph Noe
  • 55
  • 3
  • Related feature request: [Split SSL Key File into Certificate and Private Key #2077](https://github.com/arangodb/arangodb/issues/2077) (also see the referenced [ticket #2487](https://github.com/arangodb/arangodb/issues/2487)) – CodeManX Oct 24 '18 at 10:12

1 Answers1

3

Please use the ip of the interface you want to use when specifying the endpoint e.g. endpoint = ssl://42.23.13.37:8530 (ip address should list your interfaces along with addresses in use). Then it could help to use the fullchain.pem to create the server.prm (cat fullchain.pem privkey.pem > server.pem). Make sure the resulting server.pem is accessible and readable by the arangodb user. If the server is still not starting correctly please provide logs of the server. To access the logs use systemctl -fu arangodb3.service or follow the logs with tail -f <logfile> if you use some custom location for logging.

I have just tested a setup with letsencrypt certificates and it was working after ensuring all above points.

Jan Christoph Uhde
  • 701
  • 5
  • 10
  • Thanks so much for the detailed instructions. Following these steps solved my problem. So at the end it was exactly the combination of the wrong IP settings and a none-accessible pem file. – Christoph Noe Oct 25 '18 at 07:47