The Things Stack needs to be configured with Transport Layer Security (TLS) and HTTPS. This requires a TLS certificate and a corresponding key.
In this guide, we request a free, trusted certificate from Let’s Encrypt, using the built in ACME support, but if you already have a certificate (cert.pem
) and a corresponding key (key.pem
), you can also use those. For local deployments, you can set up your own Certificate Authority and issue a certificate-key pair.
Automatic Certificate Management
The Things Stack can be configured to automatically retrieve and update Let’s Encrypt certificates. Assuming you followed the configuration steps, create an acme
directory where The Things Stack can store the certificate data:
mkdir ./acme
sudo chown 886:886 ./acme
Warning:
886
is the UID
and the GID
of the user that runs The Things Stack in the Docker container. If you don’t set these permissions, you may encounter an error resembling open /var/lib/acme/acme_account+key<...>: permission denied
.
The directory hierarchy should look like this:
acme/
docker-compose.yml # defines Docker services for running The Things Stack
config/
└── stack/
└── ttn-lw-stack-docker.yml # configuration file for The Things Stack
If you are using Let’s Encrypt in a multi-tenant The Things Stack environment, make sure you specify all tenant addresses in the TLS configuration of ttn-lw-stack-docker.yml
. Read more in the TLS section.
Certificates will automatically be requested the first time you access The Things Stack. You will notice that the page takes some time to load while certificates are obtained in the background.
Once you have created the acme
folder and given it appropriate permissions, move on to run The Things Stack!
Using Custom Certificates
To use CA certificates you already have or self-signed certificates, you will need to uncomment the custom certificates section of docker-compose.yml
:
|
|
You will also need to comment out the Let’s Encrypt section of ttn-lw-stack-docker.yml
, and uncomment the custom certificates section:
|
|
Certificates from a Certificate Authority
If you want to use the certificate (cert.pem
) and key (key.pem
) that you already have, you also need to set these permissions.
sudo chown 886:886 ./cert.pem ./key.pem
Warning:
If you don’t set these permissions, you may encounter an error resembling/run/secrets/key.pem: permission denied
.
The directory hierarchy should look like this:
cert.pem
key.pem
docker-compose.yml # defines Docker services for running The Things Stack
config/
└── stack/
└── ttn-lw-stack-docker.yml # configuration file for The Things Stack
Be sure to configure docker-compose.yml
and ttn-lw-stack-docker.yml
for your custom certificates, as shown in using custom certificates.
Custom Certificate Authority
To use TLS on a local or offline deployment, you can use your own Certificate Authority. In order to set that up, you can use cfssl
, CloudFlare’s PKI/TLS toolkit. The cfssl
installation instructions can be found here.
Write the configuration for your CA to ca.json
:
{
"names": [
{"C": "NL", "ST": "Noord-Holland", "L": "Amsterdam", "O": "The Things Demo"}
]
}
Then use the following command to generate the CA key and certificate:
cfssl genkey -initca ca.json | cfssljson -bare ca
Now write the configuration for your certificate to cert.json
:
{
"hosts": ["thethings.example.com"],
"names": [
{"C": "NL", "ST": "Noord-Holland", "L": "Amsterdam", "O": "The Things Demo"}
]
}
Note:
Remember to replacethethings.example.com
with your server address!
Then, run the following command to generate the server key and certificate:
cfssl gencert -ca ca.pem -ca-key ca-key.pem cert.json | cfssljson -bare cert
The next steps assume the certificate key is called key.pem
, so you’ll need to rename cert-key.pem
to key.pem
.
At the end, your directory should look like this:
cert.pem
key.pem
ca.pem
docker-compose.yml # defines Docker services for running The Things Stack
config/
└── stack/
└── ttn-lw-stack-docker.yml # configuration file for The Things Stack
Be sure to configure docker-compose.yml
and ttn-lw-stack-docker.yml
for your custom certificates, as shown in using custom certificates.