Set up TLS without reverse proxy
This page describes StackState version 4.3.
The StackState 4.3 version range is End of Life (EOL) and no longer supported. We encourage customers still running the 4.3 version range to upgrade to a more recent release.
StackState prefers Kubernetes!
In the future we will move away from Linux support. Read how to migrate from the Linux install of StackState to the Kubernetes install.
This document provides the steps to set up TLS on StackState application side with no reverse proxy configured.
Prerequisites
Prepare a TLS keypair in PKCS12 format. Certificate should include the hostname by which StackState will be accessed, e.g.
stackstate.infra.company.tld.Configure StackState
Step 1. Configure applications
a. Enable TLS for Web UI/API by configuring section
stackstate.api.tls in etc/application_stackstate.conf:1
tls {
2
enabled = true
3
keystore {
4
path = "/path/to/keystore.pfx"
5
password = "password"
6
storeType = "PKCS12"
7
}
8
}
Copied!
b. Enable TLS for topology/telemetry receiver by configuring a section
stackstate.receiver.tls in etc/stackstate-receiver/application.conf:1
tls {
2
enabled = true
3
keystore {
4
path = "/path/to/keystore.pfx"
5
password = "password"
6
storeType = "PKCS12"
7
}
8
}
Copied!
Step 2. Configure the process manager
a. Configure health check URL (
properties.receiver-healthcheckuri) in etc/processmanager/processmanager-properties.conf using https protocol and the hostname:1
receiver-healthcheckuri = "https://stackstate.infra.company.tld:7077/health"
Copied!
b. (optional, if a self-signed certificate is used) Make process manager trust self-signed certificate by adding the following settings under
server.akka section in etc/processmanager/processmanager-properties.conf:1
ssl-config {
2
trustManager = {
3
stores = [
4
{type: "PEM", path: "/path/to/certificate-authority.pem"},
5
]
6
}
7
}
Copied!
Step 3. Configure Stackpacks configuration defaults
Configure the default receiver URL (
stackstate.receiver.baseUrl) in etc/application_stackstate.conf using https protocol and the hostname:1
stackstate.receiver.baseUrl = "https://stackstate.infra.company.tld:7077"
Copied!
Step 4. Apply changes
Restart StackState to apply these changes:
1
sudo systemctl restart stackstate.service
Copied!
Configure StackState Agent
Option 1. Agent running in Docker
a. (optional, for self-signed certificates) Prepare a self-signed certificate to be mounted into the container:
1
mkdir self-signed-certs
2
cd self-signed-certs
3
cp /path/to/certificate-authority.pem ./ca.crt
4
cp ./ca.crt ./ca-certificates.crt
Copied!
b. Update the docker container parameters with:
- configured URLs with
httpsand the hostname in environment variables for receiver endpointsSTS_STS_URL=https://stackstate.infra.company.tld:7077/stsAgentSTS_APM_URL=https://stackstate.infra.company.tld:7077/stsAgentSTS_PROCESS_AGENT_URL=https://stackstate.infra.company.tld:7077/stsAgent
- (for self-signed) mount prepared certificates into
/etc/ssl/certsof a container
Example:
1
docker run -ti --rm\
2
-e STS_API_KEY=<api key>
3
-v /path/to/self-signed-certs:/etc/ssl/certs \
4
-e STS_STS_URL=https://stackstate.infra.company.tld:7077/stsAgent \
5
-e STS_APM_URL=https://stackstate.infra.company.tld:7077/stsAgent \
6
-e STS_PROCESS_AGENT_URL=https://stackstate.infra.company.tld:7077/stsAgent \
7
stackstate/stackstate-agent-2:2.1.0
Copied!
Option 2. Agent running on machine
a. Update the receiver URLs using
https and the hostname in /etc/stackstate-agent/stackstate.yaml:1
sts_url: https://stackstate.infra.company.tld:7077/stsAgent
2
process_sts_url: https://stackstate.infra.company.tld:7077/stsAgent
3
apm_sts_url: https://stackstate.infra.company.tld:7077/stsAgent
Copied!
b. If a self-signed certificate is used, then import it with the default keystore of the operating system. Ubuntu:
1
cp /path/to/certificate-authority.pem /usr/local/share/ca-certificates/stackstate.crt # extension .crt is important here
2
sudo update-ca-certificates
Copied!
Last modified 3mo ago