HTTPS Certificates
Configuration of ESB3024 AgileTV CDN Director is done through a REST API over HTTPS. While the router installer generates a self-signed certificate in order to enable the interface at all, this is not considered safe and secure so a properly generated certificate should be used instead.
For SSL to work, the router needs to have both an x509 certificate and a key in ASCII armored PEM format:
-----BEGIN PRIVATE KEY-----
[...]
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
The files can be either separate .crt and .key files or a combined .pem
file.
Simply copy the file(s) generated by your CA service, into the
/opt/edgeware/acd/ssl folder on the host machine and they will automatically
be used by the Director. Several key/crt pairs can be placed in the folder in
order to support more than one domain name.
Wildcard certificates are supported, so a single certificate can be used for multiple subdomains.
Grafana
Adding HTTPS protection to Grafana is simple. The following ESB3024 Router-specific instructions are based on the official Grafana documentation.
First copy the .crt and .key files to the Grafana container. This will copy
the files into /opt/edgeware/acd/grafana/etc/ but going through podman like
this will ensure the correct ownership of the files so the Grafana process can
properly use them:
podman cp <certificate> grafana:/etc/grafana/
podman cp <key> grafana:/etc/grafana/
Then edit /opt/edgeware/acd/grafana/etc/grafana.ini to enable SSL. Find the
[server] section and set the following values, string values should have no
quotation marks:
protocoltohttpscert_fileto/etc/grafana/<certificate>cert_keyto/etc/grafana/<key>
If any of the specified values have a semicolon (;) before the name, remove
that character or the setting won’t take.
Finally restart the Grafana container:
systemctl restart acd-grafana
Now load up the Grafana web interface at https://<router hostname>:3000 and
verify that SSL is active.