Custom SSL certificates for HTTPS

[nadavgolden]

🚀 Feature

Enable having custom certificates from a local CA server instead of Certbot.

Have you spent some time to check if this issue has been raised before?

Searched documentation and issues history here, didn't find any similar issues.
Read some of the source code and available config flags, didn't see any that are relevant.
Went to the source code and it seems like Certbot is the only option.

Have you read the Code of Conduct?

Yes.

Pitch

In my specific case I have an offline environment with no access to Let's Encrypt's servers.
Also, we use a custom CA for our servers so I'd rather use our own than using Let's Encrypt.

Please enlighten me if there is a way to configure Certbot (or AppWrite) to use custom certificates.

[nadavgolden]

I guess you can use a reverse proxy with a custom certificate so that:
AppWrite (self-signed)<- nginx (trust insecure upstream connection; use custom certificate) <- client (HTTPS)
But I'd like to avoid it

[eldadfux]

I guess you can use a reverse proxy with a custom certificate so that:
AppWrite (self-signed)<- nginx (trust insecure upstream connection; use custom certificate) <- client (HTTPS)
But I'd like to avoid it

Agree, this can be a great solution. You can also use the Traefik container to set custom certificates like explained here:
https://medium.com/@clintcolding/use-your-own-certificates-with-traefik-a31d785a6441

[eldadfux]

We would love help with this issue. All required is to add env vars that will allow our Swoole HTTP server to pick SSL certs from a specific location without having to rely on Traefik for SSL.

[HariniKrishnan]

hi can I work on this issue?! @eldadfux

[davedawkins]

Would the resolution of this issue allow me to use certificates I already have installed on my server? I've installed AppWrite on abc.dev, and assigned it ports 8585 (http) & 8543 (https). (On this server, AppWrite cannot have port 80 unless I route "/v1/..."). Because it's ".dev", the self-signed certificate isn't accepted by the browser. I was wondering if I could copy the certificates used by the main website into the AppWrite server.

[stnguyen90]

See #5201

[bodnar1212]

We would love help with this issue. All required is to add env vars that will allow our Swoole HTTP server to pick SSL certs from a specific location without having to rely on Traefik for SSL.

Hi, @eldadfux Is it already implemented somewhere?

[christyjacob4]

@bodnar1212 its not implemented currently, but as @eldadfux mentioned, we can introduce a new env variable that points to the location of the SSL certificates instead of replying on the default location.

[SingHar]

Hi,

It would be great if we can use our own SSL certificates.

A decent use case is when using Cloudflare provided SSL certificates.

[stnguyen90]

Do you mean a certificate managed by Cloudflare? Or do you mean you have the actual certificate and private key files?

[SingHar]

I already have a Cloudflare issued certificate and privatekey OR I can generate these certificates as and when required.

Ref: Create a client certificate

[stnguyen90]

I already have a Cloudflare issued certificate and privatekey

Maybe this will help.

[binaryfire]

Hi all. So if I understand correctly, there's no way to use our own SSL certs? I'm surprised there's no option to disable the Lets Encrypt integration. Reverse proxying through Cloudflare or AWS Cloudfront is standard practice nowadays, especially for larger organizations.

[stnguyen90]

If you're using Cloudflare to proxy requests and already have an SSL certificate, you don't need to use Appwrite's certificate system. You can even disable the appwrite-worker-certificates container so that Appwrite doesn't try to generate any certificates.

[stnguyen90]

If you really want to use your own SSL certificate, you can update traefik to serve your SSL certificate. To do so,

1. Copy your full chain cert file into /storage/certificates/<domain> into the traefik container and name it fullchain.pem

2. Copy your key file into /storage/certificates/<domain> into the traefik container and name it privkey.pem

3. Create a /storage/config/<domain>.yml in the traefik container with:

   tls:
     certificates:
       - certFile: /storage/certificates/<domain>/fullchain.pem
         keyFile: /storage/certificates/<domain>/privkey.pem

For more info, refer to what Eldad linked to: https://medium.com/@clintcolding/use-your-own-certificates-with-traefik-a31d785a6441

[harishbsrinivas]

I got this to work by following the instructions here

1. Make sure that _APP_DOMAIN & _APP_DOMAIN_TARGET are set to the <domain>
2. The path to the volume mounts (appwrite-certificates & appwrite-config) is absolute path (use an override file)
3. add the directories above to .gitignore (so that you don't commit these to git)
4. completely stop and start appwrite

[jeremy0519]

Traefik can use a default certificate for connections without a SNI, or without a matching domain. This default certificate should be defined in a TLS store:

tls:
  stores:
    default:
      defaultCertificate:
        certFile: path/to/cert.crt
        keyFile: path/to/cert.key

It's useful for those finding provided ssl certificates is not working.