HTTPs
Note that you can always use a nginx or any other webserver for local TLS termination if that fits your operations workflow better.
#
RequirementsYou only need:
- A X.509 certificate
- A private key in PKCS#8 format
Below you can find a guide that describes how to create a self-signed X.509 certificate and PKCS#8 private key.
#
Generating a self-signed TLS certificate and keyIf you want to use a self-signed certificate, all you need is a recent version of openssl. This should come pre-installed on most Linux distributions.
Start by creating a file called openssl-nzyme.cnf
in any directory you like:
[req]distinguished_name = req_distinguished_namex509_extensions = v3_reqprompt = no
# Details about the issuer of the certificate[req_distinguished_name]C = USST = Some-StateL = Some-CityO = My CompanyOU = My DivisionCN = nzyme.example.com
[v3_req]keyUsage = keyEncipherment, dataEnciphermentextendedKeyUsage = serverAuthsubjectAltName = @alt_names
# IP addresses and DNS names the certificate should include# Use IP.### for IP addresses and DNS.### for DNS names,# with "###" being a consecutive number.[alt_names]IP.1 = 203.0.113.42DNS.1 = nzyme.example.com
Adapt the [req_distinguished_name]
and [alt_names]
sections of the configuration file to fit your environment.
Next, we create the private key and certificate, valid for 365 days:
openssl req -x509 -days 365 -nodes -newkey rsa:2048 -config openssl-nzyme.cnf -keyout pkcs5-plain.pem -out cert.pem
The last step is to convert the key to the required PKCS#8 format:
openssl pkcs8 -in pkcs5-plain.pem -topk8 -nocrypt -out key.pem
You can delete the temporary pkcs5-plain.pem key file:
rm pkcs5-plain.pem
#
Configuring nzymeNo matter if your certificate is self-signed or not, you should have a cert and a key file now. All you have to do is to enable TLS and point nzyme to the two files:
interfaces: { rest_listen_uri: "https://0.0.0.0:22900/" http_external_uri: "https://nzyme.example.org:22900/" use_tls: true tls_certificate_path: /path/to/cert.pem tls_key_path: /path/to/key.pem}
Note that the rest_listen_uri and http_external_uri changed to use HTTPs. If you forget to do this, nzyme will complain and refuse to start up.
Start up nzyme with the new configuration and you should be able to access it via HTTPs.