Skip to main content
Version: Next

HTTPs

Note that you can always use a nginx or any other webserver for local TLS termination if that fits your operations workflow better.

Requirements#

You only need:

  • A X.509 certificate
  • A private key in PKCS#8 format

Below you can find a guide that describes how to create a self-signed X.509 certificate and PKCS#8 private key.

Generating a self-signed TLS certificate and key#

If you want to use a self-signed certificate, all you need is a recent version of openssl. This should come pre-installed on most Linux distributions.

Start by creating a file called openssl-nzyme.cnf in any directory you like:

[req]distinguished_name = req_distinguished_namex509_extensions = v3_reqprompt = no
# Details about the issuer of the certificate[req_distinguished_name]C = USST = Some-StateL = Some-CityO = My CompanyOU = My DivisionCN = nzyme.example.com
[v3_req]keyUsage = keyEncipherment, dataEnciphermentextendedKeyUsage = serverAuthsubjectAltName = @alt_names
# IP addresses and DNS names the certificate should include# Use IP.### for IP addresses and DNS.### for DNS names,# with "###" being a consecutive number.[alt_names]IP.1 = 203.0.113.42DNS.1 = nzyme.example.com

Adapt the [req_distinguished_name] and [alt_names] sections of the configuration file to fit your environment.

Next, we create the private key and certificate, valid for 365 days:

openssl req -x509 -days 365 -nodes -newkey rsa:2048 -config openssl-nzyme.cnf -keyout pkcs5-plain.pem -out cert.pem

The last step is to convert the key to the required PKCS#8 format:

openssl pkcs8 -in pkcs5-plain.pem -topk8 -nocrypt -out key.pem

You can delete the temporary pkcs5-plain.pem key file:

rm pkcs5-plain.pem

Configuring nzyme#

No matter if your certificate is self-signed or not, you should have a cert and a key file now. All you have to do is to enable TLS and point nzyme to the two files:

interfaces: {  rest_listen_uri: "https://0.0.0.0:22900/"  http_external_uri: "https://nzyme.example.org:22900/"  use_tls: true  tls_certificate_path: /path/to/cert.pem  tls_key_path: /path/to/key.pem}

Note that the rest_listen_uri and http_external_uri changed to use HTTPs. If you forget to do this, nzyme will complain and refuse to start up.

Start up nzyme with the new configuration and you should be able to access it via HTTPs.