Obtain an SSL Certificate
In the last step, we hooked up a qualified domain name to our JupyterHub server. So now we'll be able to obtain an SSL certificate that goes with the specific domain. I followed this presentation to install certbot, a program used to generate SSL certificates.
Install and run certbot
We'll use certbot to obtain a standalone SSL certificate for our JupyterHub server.
But wait- we need to make sure that port 80 is open on the ufw firewall. If port 80 is closed, cirtbot won't be able to verify that our domain name is correctly configured. So before running cirtbot, make sure to open port 80.
$ sudo ufw allow 80
$ sudo ufw status
Now use the commands below to install certbot, modify permissions, and run certbot to obtain an SSL certificate. Make sure to replace mydomain.org
with your domain name.
$ cd ~
$ mkdir certbot
$ cd certbot
$ wget https://dl.eff.org/certbot-auto
$ chmod a+x certbot-auto
$ ./certbot-auto certonly --standalone -d mydomain.org
If certbot worked, and we get an SSL certificate- the output looks something like below:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/mydomain.org/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/mydomain.org/privkey.pem
Your cert will expire on 2018-08-15.
File Locations
Note the location of the fullchain.pem
and privkey.pem
files. In a future step, we'll add these file paths into our Nginx configuration .
We also need to allow Nginx to access these files. I had trouble getting Nginx to run and this presentation showed a way to give Nginx access to the SSL key files. There is probably a more "Linuxy" way of giving Nginx access to the cert files, but I messed around with the permission settings for a while, and using the commands below worked.
$ cd /etc/letsencrypt
$ ls
accounts archive csr keys live renewal renewal-hooks
$ sudo chmod 777 -R archive/
$ sudo chmod 777 -R live/
$ ls -la
Next Steps
The next step is to create a cookie secret, proxy auth token, and dhparem.pem file.