Enable https / set SSL certificate

Prerequisites

Before enabling https for Helmut4, make sure you have a valid SSL certificate in place.

We recommend to define an easy DNS name, which allows any user to open the webiste without any hassle.

  • You need to use X509CO cert format

  • The .key must be RSA, we do not support elliptic-curve for now

  • The .key file should not be password protected

  • Please ensure the SSL certificate is signed and valid

  • The certificate needs to be named: server.crt

  • The key needs to be named: server.key

  • Access to the helmut4 server as well to portainer

This operation will interrupt Helmut's normal operation. Please plan a downtime window and ensure an up-to-date backup is done before changing any configuration.

Install SSL certificate

Open a remote connection to your server and transfer your certificate to it.

The two certificate files (server.crt + server.key) should be copied into /root/certs

It is possible to use another location but this would require additional configuration (-> volumes)

Enable https mode

Open a browser, navigate to portainer - http://helmut_server_address:9000 and log in.

Navigate to the helmut4 stack via primary (1) -> stacks (2) -> helmut4 (3) -> editor (4)

Navigate to the traefik container configuration and look for this command, which should be around line 13:

#Disabled - using http
#command: --configFile=/etc/traefik-ssl/traefik.toml

Remove the # from the beginning, so the configuration looks like this

#Enabled - using https
command: --configFile=/etc/traefik-ssl/traefik.toml

If you have this line, and it starts with a #, delete this character to uncomment the line. If you don't have this line, please add it below the image: line

Navigate now to the volumes section of the treafik configuration, which should start around line 42.

Please remove the # form the volume entry, so the mapping look like this

- /root/certs:/certs

Scroll all the way down and click the "update the stack" button.

Once the stack has been re-deployed, the helmut4 webpage can be accessed using https://

Once the stack has been re-deployed, the helmut4 webpage can be accessed using https:// Please check if the certificate is represented and trusted by your local authority.

Convert pem certificate into crt / key

When dealing with a PEM certificate, whether singular or split (cert + key), the recommended method for conversion into .crt and .key files is to open them in an editor and copy/paste the content into the respective server.* files.

Caution is advised: ensure there are no empty lines at the end of both files, as this may cause issues. We recommend removing any comments as well. This is an example of a PEM file containing both the key and certificate.

If there are several certificates for a CA-chain those need to be copied one after another which will look like this:

Communication client and panels

Utilizing SSL will significantly affect communication between the client and the panels. When SSL is employed, all communication between these two entities will be transmitted via https://localhost. In contrast, if Helmut is used without SSL, the communication will be switched to http://localhost.

To facilitate this, a certificate issued by MoovIT will be employed. In the event that this certificate is not approved by the local security department, there is the option to configure a custom .p12 certificate, which can be utilized for this communication.

Information intended for the panel will be sent from the website to the client using the dedicated SSL certificate set up, for example, at https://helmut.domain. The information will then be processed and forwarded from the client to the panel, utilizing https://localhost, as there is no direct communication between the panel and the website.