Update SSL Certificate and Set Up HTTPS

This document will guide you through the procedure for deploying the SSL keys required for Hubble to be served as an HTTPS website.

Pre-Requisites

To enable HTTPS support, you must choose the appropriate "Web Protocol" option while generating your Hubble configuration files (through http://<application_server_ip>:3000/), as seen in the screenshot below:

This will result in a series of configuration changes on both the Application Server and in the run- list.json file to add support for HTTPS.

Note: Note that your certificate will need to match the DNS name set in the “Web URL” field of the Hubble Configuration UI. You will need to provide a valid certificate when you set this option, or you will not be able to deploy and use Hubble.

Certificate Format

The certificate will need to be in the pem format. The *.pem file should include the unencrypted private key and the certificate, and should look something like this:

If you have your certificate and private key in separate files (e.g. in *.cert and *.pk files), you can merge them into a single file (called haproxy.pem) using the structure above. You can do this, for example, by using the "cat" linux command:

New Deployments

When deploying for the first time, you should follow these steps after generating the Hubble Configurations (see the Hubble Application Server Installation section of the Hubble Initial Deployment Guide):

1. In the Application Server, create the directory that will host the certificates, as follows:

   mkdir -p /mnt/data/containers/hubble_loadbalancer/certificates/

2. Copy your certificate to the newly created folder. You can do this by using a file copy tool like scp or pscp (if you have your certificate on Windows). Assuming you already have the .pem file ready (as stated in the “Certificate Format” topic above), you will only need to run this command to complete the process (you may swap scp with pscp or use another tool like WinSCP if your certificate is on a Windows machine):

   scp mycert.pem root@<application_server_ip_address>:/mnt/data/ containers/hubble_loadbalancer/certificates/haproxy.pem

3. You can now proceed with the rest of the new deployment steps (i.e. the “Start the Hubble Application Server services” stage of the instructions).

Existing Deployments

To implement HTTPS in a existing deployment, you will need to do so during a upgrade to a new Hubble release. The procedure is as follows:

1. Ensure that the Hubble Configuration UI (http://<application_server_ip_address>:3000/) is running. If it is not, start it by running the following command in your Application Server:

   /etc/hubble/Configuration/start.sh

2. Generate a new configuration using the Configuration UI, selecting the “HTTPS” option in the “Web Protocol” field.

   Once you are finished, stop the Configuration UI by running:

   /etc/hubble/Configuration/stop.sh

3. Copy your HTTPS certificate to the appropriate location on the Application Server. You can do so by running this command (you may swap scp with pscp, or use another tool such as WinSCP, if your certificate is on a Windows machine):

   scp mycert.pem root@<application_server_ip_address>:/mnt/data/ containers/hubble_loadbalancer/certificates/haproxy.pem

4. You will now need to restart the Hubble services in your Application Server by running:

   /etc/hubble/start.sh

5. Finally, you will need to run the installer script, c:\chef\run.bat, to apply the changes to Hubble Web.
6. You should now have Hubble access through HTTPS (providing that the installer script ran successfully in the previous step).