My own SSL Certificates for my site

Hello all.

I would like to use my own SSL certificate for my domain. I have read in documentation it is possible via volume mounted in proxy service. Does anyone have an example ? I suppose I will have to mount the “deployment” volume but I don’t know the path to the certificates.

Any help would be appreciated. Thanks in advance.

We are using standard letsencrypt and they are mapped to /deployment folder.

docker exec -ti openremote_proxy_1 find /deployment/
/deployment/
/deployment/acme-webroot
/deployment/letsencrypt
/deployment/letsencrypt/live
/deployment/letsencrypt/live/snmp.mvp.openremote.io
/deployment/letsencrypt/live/snmp.mvp.openremote.io/chain.pem
/deployment/letsencrypt/live/snmp.mvp.openremote.io/cert.pem
/deployment/letsencrypt/live/snmp.mvp.openremote.io/haproxy.pem
/deployment/letsencrypt/live/snmp.mvp.openremote.io/privkey.pem
/deployment/letsencrypt/live/snmp.mvp.openremote.io/README
/deployment/letsencrypt/live/snmp.mvp.openremote.io/fullchain.pem
/deployment/letsencrypt/live/README
/deployment/letsencrypt/csr
/deployment/letsencrypt/csr/0000_csr-certbot.pem
/deployment/letsencrypt/csr/0001_csr-certbot.pem
/deployment/letsencrypt/keys
/deployment/letsencrypt/keys/0001_key-certbot.pem
/deployment/letsencrypt/keys/0000_key-certbot.pem
/deployment/letsencrypt/archive
/deployment/letsencrypt/archive/snmp.mvp.openremote.io
/deployment/letsencrypt/archive/snmp.mvp.openremote.io/fullchain1.pem
/deployment/letsencrypt/archive/snmp.mvp.openremote.io/privkey1.pem
/deployment/letsencrypt/archive/snmp.mvp.openremote.io/cert1.pem
/deployment/letsencrypt/archive/snmp.mvp.openremote.io/chain1.pem
/deployment/letsencrypt/archive/ycon.openremote.io
/deployment/letsencrypt/archive/ycon.openremote.io/fullchain1.pem
/deployment/letsencrypt/archive/ycon.openremote.io/privkey1.pem
/deployment/letsencrypt/archive/ycon.openremote.io/cert1.pem
/deployment/letsencrypt/archive/ycon.openremote.io/chain1.pem
/deployment/letsencrypt/renewal
/deployment/letsencrypt/renewal/snmp.mvp.openremote.io.conf
/deployment/letsencrypt/renewal/ycon.openremote.io.conf
/deployment/letsencrypt/renewal-hooks
/deployment/letsencrypt/renewal-hooks/pre
/deployment/letsencrypt/renewal-hooks/deploy
/deployment/letsencrypt/renewal-hooks/post
/deployment/letsencrypt/accounts
/deployment/letsencrypt/accounts/acme-v02.api.letsencrypt.org
/deployment/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory
/deployment/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/dd4c7dbbccbe9f97361a0ca47218422e
/deployment/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/dd4c7dbbccbe9f97361a0ca47218422e/meta.json
/deployment/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/dd4c7dbbccbe9f97361a0ca47218422e/regr.json
/deployment/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/dd4c7dbbccbe9f97361a0ca47218422e/private_key.json

Here you can see that we are using snmp.mvp.openremote.io domain and the cert is stored in /deployment/letsencrypt/live/snmp.mvp.openremote.io directory.

BTW, why you want to use your own cert?

You can start the proxy container with the following:

command: start-with-certificate
environment:
  LOCAL_CERT_FILE: /my/cert/file

The reason to use my own certificate: I have deploy to test OR in my own machine via docker-compose and when I access to UI vía my domain i get an invalid certificated and i have to create an exception in my browser (Error-Code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT), this certificate generated by OR corresponding to “localhost” and not my domain.

  • If i made a find as suggested, i have empty directories:

/deployment/
/deployment/acme-webroot
/deployment/letsencrypt
/deployment/letsencrypt/live

I just want to use my certificates corresponding to my domain instead of localhost defined.

Thanks again for your help.

If you use openremote-cli then you can simply pass a custom domain to it:

openremote-cli deploy --dnsname your.domain.name

Of course you need forward port from internet so letsencrypt can issue the cert.

localhost is defined in the docker-compose.yml. You can edit also this file.

The only reason when you need to use your own cert is if your network is isolated from internet. In other situation, using custom domain when setting up the stack is much less trouble.