# Securing the Rportd API with HTTPS

Rportd supports HTTPS without the need for a reverse proxy. Open the rportd.conf file and enter the path to a certificate or certificate chain and a server key. The key must not be password protected.

[api]
  ## Defines the IP address and port the API server listens on
  ## specify non-empty {address} to enable API support
  address = "0.0.0.0:3000"
  ## ..snip ...snap
  ## If both cert_file and key_file are specified, then rportd will use them to serve the API with https.
  ## Intermediate certificates should be included in cert_file if required.
  #cert_file = "/var/lib/rport/server.crt"
  #key_file = "/var/lib/rport/server.key"
1
2
3
4
5
6
7
8
9

If a cert_file and a key_file are specified, the protocol automatically switches from HTTP to HTTPs.

If the IP address of your server has a public domain name you can generate a free certificate quite easily using Let's encrypt.

Make sure no other software is using the TCP port 80 during the certificate generation and your firewall is not blocking access to TCP 80.

DOMAIN=<YOUR_DOMAIN>
apt install certbot
certbot certonly -d $DOMAIN -n --agree-tos --standalone -m <YOUR_EMAIL>
# Change group ownerships so rport can read the files
chgrp rport /etc/letsencrypt/archive/
chmod g+rx /etc/letsencrypt/archive/
chgrp rport /etc/letsencrypt/live/
chmod g+rx /etc/letsencrypt/live/
chgrp rport /etc/letsencrypt/archive/$DOMAIN/
chmod g+rx /etc/letsencrypt/archive/$DOMAIN/
chgrp rport /etc/letsencrypt/archive/$DOMAIN/privkey1.pem
chmod g+rx /etc/letsencrypt/archive/$DOMAIN/privkey1.pem
chgrp rport /etc/letsencrypt/live/$DOMAIN/
ls -l /etc/letsencrypt/live/$DOMAIN/
1
2
3
4
5
6
7
8
9
10
11
12
13
14

This will create the server key, certificates, and chains in /etc/letsencrypt/live/$DOMAIN/. Note that the files and folders generated by certbot are readable only by root. So change your ownerships accordingly.

Now set up your rportd.conf like this.

[api]
  ## Defines the IP address and port the API server listens on
  ## specify non-empty {address} to enable API support
  address = "0.0.0.0:3000"
  ## ..snip ...snap
  ## If both cert_file and key_file are specified, then rportd will use them to serve the API with https.
  ## Intermediate certificates should be included in cert_file if required.
  cert_file = "/etc/letsencrypt/live/<YOUR_DOMAIN>/fullchain.pem"
  key_file = "/etc/letsencrypt/live/<YOUR_DOMAIN>/privkey.pem"
1
2
3
4
5
6
7
8
9

Restart rportd after any changes to the configuration file. Check your SSL setup is working properly by executing curl -Iv -u admin:foobaz https://$DOMAIN:3000/api/v1/status. You should not get any errors.

On Ubuntu a systemd timer to renew the certificates every 12 hours is created on the installation of the certbot package. For details look at /etc/systemd/system/timers.target.wants/certbot.timer. On other distribution you might set up a cron manually that executes certbot -q renew every 12 hours.