SSL Certificate Management
Default Configuration
APTRS uses HTTPS with a self-signed certificate by default. While this provides encryption, browsers will display security warnings because the certificate isn't issued by a trusted certificate authority (CA).
Replacing the Self-Signed Certificate
You can replace the default self-signed certificate with your own certificate in one of two ways:
Option 1: Replace Certificate Files in Docker
If you're using the Docker deployment method, you can replace the certificate files located at:
https://github.com/APTRS/APTRS/tree/main/Certificate
You'll need to replace both:
- certificate.crt
- Your SSL certificate file
- certificate.key
- Your private key file
After replacing these files, rebuild and restart your Docker containers:
docker-compose down
docker-compose build
docker-compose up -d
Option 2: Use Nginx as SSL Termination Proxy (Recommended)
For production environments, we recommend using Nginx as an SSL termination proxy in front of APTRS. This method allows you to:
- Use professionally issued certificates (e.g., Let's Encrypt)
- Manage certificate renewals outside of the APTRS containers
- Configure advanced SSL settings for optimal security
Steps for Nginx SSL Configuration:
- Obtain a valid SSL certificate (e.g., using Let's Encrypt certbot)
- Configure Nginx with your certificate
- Set up Nginx to proxy requests to APTRS
Example Nginx configuration with SSL:
server {
listen 80;
server_name your-aptrs-domain.com;
# Redirect HTTP to HTTPS
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name your-aptrs-domain.com;
# SSL Certificate Configuration
ssl_certificate /path/to/your/fullchain.pem;
ssl_certificate_key /path/to/your/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
# Proxy to APTRS
location / {
proxy_pass http://localhost:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Using Let's Encrypt for Free SSL Certificates
For production environments, Let's Encrypt provides free, trusted SSL certificates that are automatically renewable.
Installing Certbot for Let's Encrypt:
# For Ubuntu/Debian systems
sudo apt update
sudo apt install certbot python3-certbot-nginx
# For CentOS/RHEL systems
sudo dnf install certbot python3-certbot-nginx
Obtaining a Certificate:
sudo certbot --nginx -d your-aptrs-domain.com
This command will: 1. Obtain a certificate 2. Automatically configure your Nginx settings 3. Set up automatic renewal
Certificate Renewal
Let's Encrypt certificates expire after 90 days. Certbot installs a cron job or systemd timer to automatically renew your certificates before they expire.
SSL Certificate Best Practices
- Use Strong Protocols: Enable only TLSv1.2 and TLSv1.3
- Configure Forward Secrecy: Use ECDHE and DHE cipher suites
- Implement HSTS: Add Strict-Transport-Security header
- Test Your Configuration: Use SSL Labs to verify your setup
- Automate Renewals: Ensure certificates are automatically renewed before expiration