How to add SSL certificate?

Learn how to setup SSL certificate using certbot or another SSL certificate

Prerequisites

  • All prerequisites required for RevDeBug Server installation
  • Server must have Domain Name System (DNS) set up
  • Ports 80 and 443 must be opened on firewall
Stop RevDeBug Server if it is running

To generate Let’s Encrypt SSL certificate execute command below:

sudo docker run -it --rm --name certbot -p 80:80 -p 443:443 \
-v "/var/rdb/etc/letsencrypt:/etc/letsencrypt" \
-v "/var/rdb/var/lib/letsencrypt:/var/lib/letsencrypt" \
certbot/certbot certonly
To minimize the impact of erroneously issued certificates, the Let's Encrypt license expires every three months - you can use another ssl certificate
Remember that the certificate file should contain the full certificate chain and be in a PEM format - more on how to create this type of file here

After executing above docker command you’ll need to provide answers to the following:

  1. 1.
    How would you like to authenticate with the ACME CA?
    • Select: Spin up a temporary webserver (standalone)
  2. 2.
    If you are doing this for the first time then you will need to provide your contact email and accept the terms and conditions.
  3. 3.
    Please enter the domain name(s) you would like on your certificate (comma and/or space separated)
    • You must specify the fully qualified server name (DNS), example: revdebug.company.com
  4. 4.
    After the certificate generation was successful you should see a message similar to the one below:
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/[host_name]/fullchain.pem
Key is saved at: /etc/letsencrypt/live/[host_name]/privkey.pem
This certificate expires on [date].
These files will be updated when the certificate renews.

After generating the certificate, work with the files:

  • Change directory
cd /var/rdb/etc/letsencrypt/live/[your_dns_adress]
  • Copy the fullchain.pem and privkey.pem key to a pre-selected location of your choice (default path is /var/revdebug/cert) Commands to copy the files:
mkdir -p /var/revdebug/cert
cp fullchain.pem /var/revdebug/cert/[yourCert].crt
cp privkey.pem /var/revdebug/cert/[yourCert].key
Files must have the same name with the correct extension

Table with description of the most important environment variables in .env for adding SSL certificates

Name
Explanation
REVDEBUG_CERTIFICATE_PATH
Location of ssl certificates files
e.g.: /var/revdebug/cert
REVDEBUG_CERTIFICATE_NAME
Name of the .crt and .key files in the certificate directory
e.g.: yourCert
  • To change the default path where the certificates are located, you must also change the REVDEBUG_CERTIFICATE_PATH setting in the .env file.
After enabling the options in the .env file, start RevDeBug Server and access its HTTPS address to verify the changes to work.

Enabling the use of SSL on the applications side:

C#

Compiler

Set <RevDeBugForceTLS>true</RevDeBugForceTLS> in Directory.Build.props for example:
Directory.Build.props
<Project>
<PropertyGroup Condition="'$(RevDeBugDisableNuget)' != 'true'">
<RevDeBugActive>true</RevDeBugActive>
<UseRevDeBugOnThisProject>true</UseRevDeBugOnThisProject>
<RevDeBugStateStorageType>CrashRecorder</RevDeBugStateStorageType>
<SendToServer>true</SendToServer>
<RecorderAddress>[host_name]</RecorderAddress>
<RecorderTCPPort>42734</RecorderTCPPort>
<RevDeBugForceTLS>true</RevDeBugForceTLS>
<ImportGitInfo>true</ImportGitInfo>
</PropertyGroup>
<PropertyGroup Condition="'$(TargetFrameworkIdentifier)' != '.NETFramework'">
<isNetCore>true</isNetCore>
</PropertyGroup>
</Project>

Agent apm

Set "ForceTLS": true in skyapm.json for example:
skyapm.json
{
"SkyWalking": {
"ServiceName": "ServiceName",
"Namespace": "",
"HeaderVersions": [
"sw8"
],
"Sampling": {
"SamplePer3Secs": -1
"Percentage": -1.0
},
"Logging": {
"Level": "Information",
"FilePath": "logs\\skyapm-{Date}.log"
},
"Transport": {
"Interval": 3000
"ProtocolVersion": "v8",
"QueueSize": 30000,
"BatchSize": 3000,
"gRPC": {
"Servers": "[host_name]:11800",
"Timeout": 10000,
"ConnectTimeout": 10000,
"ReportTimeout": 600000,
"ForceTLS": true
}
}
}
}
You would need to recompile/rebuild your application after those changes.

Java

Compiler

Maven
Gradle
Set AforceTLS=true in pom.xml for example:
pom.xml
<project>
...
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.8.1</version>
<configuration>
<compilerArgs>
<arg>-ArecordServerAddress=[host_name]</arg>
<arg>-ArecordServerPort=42734</arg>
<arg>-ArecordingMode=OnEvent</arg>
<arg>-AapplicationName=[APP_NAME]</arg>
<arg>-AsolutionName=[PROJECT_NAME]</arg>
<arg>-AreleaseId=${git.commit.id}</arg>
<arg>-AreleaseDisplayName=[DISPLAY_NAME]</arg>
<arg>-ArepositoryPath=[STORAGE_PATH]</arg>
<arg>-AuploadMetadata=true</arg>
<arg>-AforceTLS=true</arg>
</compilerArgs>
<source>1.8</source>
<target>1.8</target>
</configuration>
</plugin>
</plugins>
...
</project>
Set AforceTLS=true in build.gradle for example:
build.gradle
compileJava {
options.compilerArgs = [
"-ArecordServerAddress=[host_name]",
"-ArecordServerPort=42734",
"-ArecordingMode=OnEvent",
"-AapplicationName=[APP_NAME]",
"-AsolutionName=[PROJECT_NAME]",
"-AreleaseId=[HASH_COMMIT]",
"-AreleaseDisplayName=[DISPLAY_NAME]",
"-ArepositoryPath=[STORAGE_PATH]",
"-AuploadMetadata=true",
"-AlogErrorClass=[LOG_CLASS]",
"-AlogErrorMethod=[LOG_METHOD]",
"-AREVDEBUG_TRACE_LOG_ERROR=true",
"-AforceTLS=true"
]}

Agent apm

agent.force_tls set to true if your RevDeBug DevOps Monitor instance has been configured to work with an SSL certificate.
You would need to recompile/rebuild your application after those changes.

JavaScript

Set "secure": true in revdebug.json for example:
revdebug.json
{
"host": "[host_name]",
"apm": true,
"mode": "onevent",
"solution": "Node.js Application",
"secure": true
}
You would need to recompile/rebuild your application after those changes.

Python

Set force_tls = 1 in revdebug.cfg for example:
revdebug.cfg
solution = Solution_Name
application = App_Name
mode = OnEvent
host = [host_name]
apm = 1
force_tls = 0 # 0 or 1, whether the RevDeBug server uses a secure connection