Enable https / set SSL certificate
Certificate Expiry
SSL/TLS certificates cannot be issued for more than 13 months (397 days).
This policy change was announced by major browsers, including Google and Apple, at the CA/Browser Forum in March 2020.
For more information, please refer to these sources:
A longer expiry date does work; however, it may lead to issues, as these certificates might not be accepted on macOS or within panel extensions in Premiere Pro or After Effects.
Prerequisites
Before enabling https for Helmut4, make sure you have a valid SSL certificate in place.
We recommend to define an easy DNS name, which allows any user to open the webiste without any hassle.
You need to use X509CO cert format
The .key must be RSA, we do not support elliptic-curve for now
The .key file should not be password protected
Please ensure the SSL certificate is signed and valid
The certificate needs to be named: server.crt
The key needs to be named: server.key
Access to the helmut4 server as well to portainer
This operation will interrupt Helmut's normal operation. Please plan a downtime window and ensure an up-to-date backup is done before changing any configuration.
Certificate Requirements
It is preferable to use a certificate issued by an official Certificate Authority (CA), especially if the system is hosted on a public network or cloud instance.
If you are using a self-generated certificate, please ensure that you set a proper Common Name (CN) and Certificate Subject Alternative Name. For instance, if a DNS name is missing or a user attempts to access the server using its IP address via HTTPS, it may result in a disconnection error displayed as "Helmut Client is not running".
Verify SSL Certificate & Key
To verify the RSA keys used for the certificate in advance, please refer to: Verify RSA keys for SSL certificate
Install SSL certificate
Open a remote connection to your server and transfer your certificate to it.
The two certificate files (server.crt + server.key) should be copied into /root/certs
It is possible to use another location but this would require additional configuration (-> volumes)
Enable https mode
Open a browser, navigate to portainer - http://helmut_server_address:9000 and log in.
Navigate to the helmut4 stack via primary (1) -> stacks (2) -> helmut4 (3) -> editor (4)
Navigate to the traefik container configuration and look for this command, which should be around line 13:
Remove the # from the beginning, so the configuration looks like this
If you have this line, and it starts with a #, delete this character to uncomment the line. If you don't have this line, please add it below the image: line
Navigate now to the volumes section of the treafik configuration, which should start around line 42.
Please remove the # form the volume entry, so the mapping look like this
Scroll all the way down and click the "update the stack" button.
Once the stack has been re-deployed, the helmut4 webpage can be accessed using https://
Once the stack has been re-deployed, the helmut4 webpage can be accessed using https:// Please check if the certificate is represented and trusted by your local authority.
Convert pem certificate into crt / key
When dealing with a PEM certificate, whether singular or split (cert + key), the recommended method for conversion into .crt and .key files is to open them in an editor and copy/paste the content into the respective server.* files.
Caution is advised: ensure there are no empty lines at the end of both files, as this may cause issues. We recommend removing any comments as well. This is an example of a PEM file containing both the key and certificate.
If there are several certificates for a CA-chain those need to be copied one after another which will look like this:
Communication client and panels
Utilizing SSL will significantly affect communication between the client and the panels. When SSL is employed, all communication between these two entities will be transmitted via https://localhost. In contrast, if Helmut is used without SSL, the communication will be switched to http://localhost.
To facilitate this, a certificate issued by MoovIT will be employed. In the event that this certificate is not approved by the local security department, there is the option to configure a custom .p12 certificate, which can be utilized for this communication.
Information intended for the panel will be sent from the website to the client using the dedicated SSL certificate set up, for example, at https://helmut.domain. The information will then be processed and forwarded from the client to the panel, utilizing https://localhost, as there is no direct communication between the panel and the website.
Last updated
