Set up TLS without reverse proxy
StackState Self-hosted v5.0.x
This page describes StackState version 5.0.
StackState prefers Kubernetes!
In the future we will move away from Linux support. Read how to migrate from the Linux install of StackState to the Kubernetes install.
This document provides the steps to set up TLS on StackState application side with no reverse proxy configured.
Prepare a TLS keypair in PKCS12 format. Certificate should include the hostname by which StackState will be accessed, e.g.
stackstate.infra.company.tld
.a. Enable TLS for Web UI/API by configuring section
stackstate.api.tls
in etc/application_stackstate.conf
:tls {
enabled = true
keystore {
path = "/path/to/keystore.pfx"
password = "password"
storeType = "PKCS12"
}
}
b. Enable TLS for topology/telemetry receiver by configuring a section
stackstate.receiver.tls
in etc/stackstate-receiver/application.conf
:tls {
enabled = true
keystore {
path = "/path/to/keystore.pfx"
password = "password"
storeType = "PKCS12"
}
}
a. Configure health check URL (
properties.receiver-healthcheckuri
) in etc/processmanager/processmanager-properties.conf
using https
protocol and the hostname: receiver-healthcheckuri = "https://stackstate.infra.company.tld:7077/health"
b. (optional, if a self-signed certificate is used) Make process manager trust self-signed certificate by adding the following settings under
server.akka
section in etc/processmanager/processmanager-properties.conf
:ssl-config {
trustManager = {
stores = [
{type: "PEM", path: "/path/to/certificate-authority.pem"},
]
}
}
Configure the default receiver URL (
stackstate.receiver.baseUrl
) in etc/application_stackstate.conf
using https
protocol and the hostname:stackstate.receiver.baseUrl = "https://stackstate.infra.company.tld:7077"
Restart StackState to apply these changes:
sudo systemctl restart stackstate.service
a. (optional, for self-signed certificates) Prepare a self-signed certificate to be mounted into the container:
mkdir self-signed-certs
cd self-signed-certs
cp /path/to/certificate-authority.pem ./ca.crt
cp ./ca.crt ./ca-certificates.crt
b. Update the docker container parameters with:
- configured URLs with
https
and the hostname in environment variables for receiver endpointsSTS_STS_URL=https://stackstate.infra.company.tld:7077/stsAgent
STS_APM_URL=https://stackstate.infra.company.tld:7077/stsAgent
STS_PROCESS_AGENT_URL=https://stackstate.infra.company.tld:7077/stsAgent
- (for self-signed) mount prepared certificates into
/etc/ssl/certs
of a container
Example:
docker run -ti --rm\
-e STS_API_KEY=<api key>
-v /path/to/self-signed-certs:/etc/ssl/certs \
-e STS_STS_URL=https://stackstate.infra.company.tld:7077/stsAgent \
-e STS_APM_URL=https://stackstate.infra.company.tld:7077/stsAgent \
-e STS_PROCESS_AGENT_URL=https://stackstate.infra.company.tld:7077/stsAgent \
stackstate/stackstate-agent-2:2.1.0
a. Update the receiver URLs using
https
and the hostname in /etc/stackstate-agent/stackstate.yaml
:sts_url: https://stackstate.infra.company.tld:7077/stsAgent
process_sts_url: https://stackstate.infra.company.tld:7077/stsAgent
apm_sts_url: https://stackstate.infra.company.tld:7077/stsAgent
b. If a self-signed certificate is used, then import it with the default keystore of the operating system. Ubuntu:
cp /path/to/certificate-authority.pem /usr/local/share/ca-certificates/stackstate.crt # extension .crt is important here
sudo update-ca-certificates
Last modified 11mo ago