Alpaca 6.2

Warning! You are viewing an older version of Alpaca Guides. View the latest

SSL Configuration

To configure Alpaca to run via SSL, start by enabling the https profile. See Profile Configuration. Once enabled, the application-https.yaml needs to be configured.

Generating a Key Store

To enable SSL you need a valid Java keystore configured. This first requires a valid certificate.

A valid certificate can be generated using the free Let's Encrypt service using Certbot. This requires a web service such as apache to perform domain verification. Example:

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
./certbot-auto certonly

After the certificate has been created use openssl to create a keystore file.

cd /etc/letsencrypt/live/<domain>
openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out keystore.pkcs12

To verify that the certificate was correctly imported:

keytool -list -keystore config/keystore.pkcs12 -storetype pkcs12 -alias 1

Now the keystore can be copied to the Alpaca configuration directory for usage.

cp keystore.pkcs12 /opt/alpaca/config/
chown alpaca:alpaca /opt/alpaca/config/config/keystore.pkcs12

Configurations

These configurations assume that necessary keys, key stores, and certificates have already been generated.

key-store - Path to the key store that holds the SSL certificate (typically a jks or pem file).
key-store-password - Password used to access the key store.
key-store-type - Type of the key store.
key-alias - Alias that identifies the key in the key store.
key-password - Password used to access the key in the key store.
protocol - SSL protocol to use.
ciphers - Supported SSL ciphers.

Sample SSL configuration

server:
    port: 8443
    ssl:
      key-store: config/keystore.pkcs12
      key-store-password: myStorePassword!
      key-store-type: PKCS12
      key-alias: 1
      key-password: myKeyPassword!
      protocol: TLSv1.2
      ciphers: ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256