How to add an SSL certificate?

Learn how to setup SSL certificate using certbot or another SSL certificate

Prerequisites

• All prerequisites required for RevDeBug Server installation

• Server must have Domain Name System (DNS) set up

• Ports 80 and 443 must be opened on firewall

Stop RevDeBug Server if it is running

To generate Let’s Encrypt SSL certificate execute command below:

sudo docker run -it --rm --name certbot -p 80:80 -p 443:443 \
-v "/var/rdb/etc/letsencrypt:/etc/letsencrypt" \
-v "/var/rdb/var/lib/letsencrypt:/var/lib/letsencrypt" \
certbot/certbot certonly

To minimize the impact of erroneously issued certificates, the Let's Encrypt license expires every three months - you can use another SSL certificate

Remember that the certificate file should contain the full certificate chain and be in a PEM format - more on how to create this type of file here

After executing above docker command you’ll need to provide answers to the following:

1. How would you like to authenticate with the ACME CA?

   • Select: Spin up a temporary webserver (standalone)

2. If you are doing this for the first time then you will need to provide your contact email and accept the terms and conditions.

3. Please enter the domain name(s) you would like on your certificate (comma and/or space separated)

   • You must specify the fully qualified server name (DNS), for example: revdebug.company.com

4. After the certificate generation was successful you should see a message similar to the one below:

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/[host_name]/fullchain.pem
Key is saved at: /etc/letsencrypt/live/[host_name]/privkey.pem
This certificate expires on [date].
These files will be updated when the certificate renews.

After generating the certificate, work with the files:

• Change directory

cd /var/rdb/etc/letsencrypt/live/[your_dns_adress]

• Copy the fullchain.pem and privkey.pem key to a pre-selected location of your choice (default path is /var/revdebug/cert) Commands to copy the files:

mkdir -p /var/revdebug/cert
cp fullchain.pem /var/revdebug/cert/[yourCert].crt
cp privkey.pem /var/revdebug/cert/[yourCert].key

Files must have the same name with the correct extension

Table with description of the most important environment variables in .env for adding SSL certificates

Name	Explanation
REVDEBUG_CERTIFICATE_PATH	Location of ssl certificates files e.g.: /var/revdebug/cert
REVDEBUG_CERTIFICATE_NAME	Name of the .crt and .key files in the certificate directory e.g.: yourCert

• To change the default path where the certificates are located, you must also change the REVDEBUG_CERTIFICATE_PATH setting in the .env file.

• Remember to set the correct value of the REVDEBUG_SERVER_NAME variable in the .env file.

After enabling the options in the .env file, start RevDeBug Server and access its HTTPS address to verify the changes work.

The private key cannot be password protected.

Certificates from a certification center, if used internally, must reside in /var/revdebug/ca/ as separate .crt files for each root and intermediate certification center that signed the RevDeBug server certificate.

If you are using Kubernetes Monitoring in RevDeBug then you need to switch the insecure=true parameter in the OTEL configuration file to insecure=false.

Enabling the use of SSL on the applications side:

C#

Compiler

Set <RevDeBugForceTLS>true</RevDeBugForceTLS> in Directory.Build.props for example:

Directory.Build.props

<Project>
  <PropertyGroup Condition="'$(RevDeBugDisableNuget)' != 'true'">
    <RevDeBugActive>true</RevDeBugActive>
    <UseRevDeBugOnThisProject>true</UseRevDeBugOnThisProject>
    <RevDeBugStateStorageType>CrashRecorder</RevDeBugStateStorageType>
    <SendToServer>true</SendToServer>
    <RecorderAddress>[host_name]</RecorderAddress>
    <RecorderTCPPort>42734</RecorderTCPPort>
    <RevDeBugForceTLS>true</RevDeBugForceTLS>
    <ImportGitInfo>true</ImportGitInfo>
  </PropertyGroup>
  <PropertyGroup Condition="'$(TargetFrameworkIdentifier)' != '.NETFramework'">
    <isNetCore>true</isNetCore>
  </PropertyGroup>
</Project>

Agent APM

Set "ForceTLS": true in skyapm.json for example:

skyapm.json

{
  "SkyWalking": {
    "ServiceName": "ServiceName",
    "Namespace": "",
    "HeaderVersions": [
      "sw8"
    ],
    "Sampling": {
      "SamplePer3Secs": -1
      "Percentage": -1.0
    },
    "Logging": {
      "Level": "Information",
      "FilePath": "logs\\skyapm-{Date}.log"
    },
    "Transport": {
      "Interval": 3000
      "ProtocolVersion": "v8",
      "QueueSize": 30000,
      "BatchSize": 3000,
      "gRPC": {
        "Servers": "[host_name]:11800",
        "Timeout": 10000,
        "ConnectTimeout": 10000,
        "ReportTimeout": 600000,
        "ForceTLS": true
      }
    }
  }
}

You would need to recompile/rebuild your application after those changes.

Java

Compiler

Maven

Set AforceTLS=true in pom.xml for example:

pom.xml

 <project>
 ...
 <plugins>
   <plugin>
       <groupId>org.apache.maven.plugins</groupId>
       <artifactId>maven-compiler-plugin</artifactId>
       <version>3.8.1</version>
       <configuration>
           <compilerArgs>
               <arg>-ArecordServerAddress=[host_name]</arg>
               <arg>-ArecordServerPort=42734</arg>
               <arg>-ArecordingMode=OnEvent</arg>
               <arg>-AapplicationName=[APP_NAME]</arg>
               <arg>-AsolutionName=[PROJECT_NAME]</arg>  
               <arg>-AreleaseId=${git.commit.id}</arg>                  
               <arg>-AreleaseDisplayName=[DISPLAY_NAME]</arg>
               <arg>-ArepositoryPath=[STORAGE_PATH]</arg>
               <arg>-AuploadMetadata=true</arg>
               <arg>-AforceTLS=true</arg>
           </compilerArgs>
           <source>1.8</source>
           <target>1.8</target>
       </configuration>
   </plugin>
</plugins>
...
</project>

Gradle

Set AforceTLS=true in build.gradle for example:

build.gradle

   compileJava {
       options.compilerArgs = [
               "-ArecordServerAddress=[host_name]",
               "-ArecordServerPort=42734",
               "-ArecordingMode=OnEvent",
               "-AapplicationName=[APP_NAME]",
               "-AsolutionName=[PROJECT_NAME]",
               "-AreleaseId=[HASH_COMMIT]",
               "-AreleaseDisplayName=[DISPLAY_NAME]",
               "-ArepositoryPath=[STORAGE_PATH]",
               "-AuploadMetadata=true",
               "-AlogErrorClass=[LOG_CLASS]",
               "-AlogErrorMethod=[LOG_METHOD]",
               "-AREVDEBUG_TRACE_LOG_ERROR=true",
               "-AforceTLS=true"
   ]}

Agent APM

agent.force_tls set to true if your RevDeBug DevOps Monitor instance has been configured to work with an SSL certificate.

You would need to recompile/rebuild your application after those changes.

JavaScript

Set "secure": true in revdebug.json for example:

revdebug.json

{
  "host":         "[host_name]",
  "apm":          true,
  "mode":         "onevent",
  "solution":     "Node.js Application",
  "secure":       true
}

You would need to recompile/rebuild your application after those changes.

Python

Set force_tls = 1 in revdebug.cfg for example:

revdebug.cfg

solution        = Solution_Name
application     = App_Name                      
mode            = OnEvent         
host            = [host_name]       
apm             = 1                
force_tls       = 0   # 0 or 1, whether the RevDeBug server uses a secure connection