Set up TLS for the Anbox Cloud Appliance

The Anbox Cloud Appliance uses a self-signed certificate to provide HTTPS services. If you want to serve the appliance over HTTPS using a valid SSL/TLS certificate, follow the steps in this document to generate and install a valid SSL/TLS certificate on the Anbox Cloud Appliance.

If you run the appliance on AWS, you can choose to use the AWS Certificate Manager. Otherwise, you must manage the certificate yourself manually.

Prerequisites

Before you start, make sure the following requirements are met:

Manage the certificate manually

To generate and install a certificate yourself, complete the following steps:

Add a DNS record

Setting up DNS redirection depends on your DNS provider. Refer to the documentation of your provider to create a DNS record pointing to the IP/DNS of the machine where the Anbox Cloud Appliance is running.

Configure the location

Configure the location for the appliance using the created DNS name by running the following command:

sudo anbox-cloud-appliance config set network.location=your.dns.name

The change will be automatically applied and will cause all services components of the appliance to restart. If you want to defer the restart to a later point, you can use the --no-restart option.

Generate an SSL certificate

There are many ways to create a valid SSL certificate. One way is to use Let’s Encrypt to generate a free SSL certificate.

First, connect and SSH into your appliance instance, and install the certbot snap:

sudo snap install --classic certbot

Using certbot requires that TCP port 80 is not in use as it will use the port to verify your ownership of the requested DNS name. The Anbox Cloud Appliance only occupies TCP port 443. Please ensure that nothing is listening on the machine on TCP port 80 before you continue.

Then run the following command to generate your certificate:

sudo certbot certonly --standalone

This command prompts you to enter the domain name for the certificate to be generated. You will see the following message when the certificate is created successfully:

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/<your domain name>/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/<your domain name>/privkey.pem
This certificate expires on yyyy-MM-dd.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Install the SSL certificate

Copy the generated certificate to the /var/snap/anbox-cloud-appliance/common/daemon directory:

sudo cp /etc/letsencrypt/live/<your domain name>/fullchain.pem /var/snap/anbox-cloud-appliance/common/daemon/server.crt
sudo cp /etc/letsencrypt/live/<your domain name>/privkey.pem /var/snap/anbox-cloud-appliance/common/daemon/server.key

Then restart the appliance service to make it load the new key and certificate:

sudo snap restart anbox-cloud-appliance.daemon

With the certificate installed on the appliance, you now can access the appliance using the created domain name and will be presented with a valid certificate.

Renew the SSL certificate

The certbot snap packages installed on your machine would have already set up a systemd timer that automatically renews your certificates before they expire. However, to get the certificate renewed successfully for the appliance, you can create post-start hook for certbot which will automatically reconfigure it:

cat <<EOF | sudo tee /etc/letsencrypt/renewal-hooks/post/001-start-appliance.sh
#!/bin/bash
sudo cp /etc/letsencrypt/live/<your domain name>/fullchain.pem /var/snap/anbox-cloud-appliance/common/daemon/server.crt
sudo cp /etc/letsencrypt/live/<your domain name>/privkey.pem /var/snap/anbox-cloud-appliance/common/daemon/server.key
sudo snap restart anbox-cloud-appliance.daemon
EOF
sudo chmod +x /etc/letsencrypt/renewal-hooks/post/001-start-appliance.sh

Note

The appliance will be restarted when the renewal of the SSL certificate is complete, to let the reverse proxy reload the certificate.