HTTPS Certificates
Configuration of ESB3024 Router is done through a REST API over HTTPS. While the router installer generates a self-signed certificate in order to enable the interface at all, this is not considered safe and secure so a properly generated certificate should be used instead.
For SSL to work, the router needs to have both an x509 certificate and a key in ASCII armored PEM format:
-----BEGIN PRIVATE KEY-----
[...]
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
The files can be either separate .crt and .key files or a combined .pem
file.
Simply copy the file(s) generated by your CA service, into the
/opt/edgeware/acd/ssl folder on the host machine and they will automatically
be used by the router. The filenames must match the associated hostname, and
there’s currently no support for wildcard matching or multiple domains per
certificate. Several key/crt pairs can be placed in the folder in order to
support more than one domain name.
Grafana
Adding HTTPS protection to Grafana is simple. The following ESB3024 Router-specific instructions are based on the official Grafana documentation.
First copy the .crt and .key files to the Grafana container. This will copy
the files into /opt/edgeware/acd/grafana/etc/ but going through podman like
this will ensure the correct ownership of the files so the Grafana process can
properly use them:
podman cp <certificate> grafana:/etc/grafana/
podman cp <key> grafana:/etc/grafana/
Then edit /opt/edgeware/acd/grafana/etc/grafana.ini to enable SSL. Find the
[server] section and set the following values, string values should have no
quotation marks:
protocoltohttpscert_fileto/etc/grafana/<certificate>cert_keyto/etc/grafana/<key>
If any of the specified values have a semicolon (;) before the name, remove
that character or the setting won’t take.
Finally restart the Grafana container:
systemctl restart acd-grafana
Now load up the Grafana web interface at https://<router hostname>:3000 and
verify that SSL is active.