Categories

Versions

  1. Documentation
  3. Hub
  4. Install
  5. Certificate management
  6. Let's Encrypt Client

Let's Encrypt Client

A docker image to help obtain LetsEncrypt certificates

Starting with Altair AI Hub version 2025.0, AI Hub no longer supports plain HTTP. Hence, you must obtain a secure certificate from a trusted Certificate Authority, either a public issuer or a corporate CA that is trusted by all devices that have access to the deployment.

Alternatively, you can use Let's Encrypt, a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).

The letsencrypt Docker image provided with AI Hub contains the Certbot application which is the official client application for https://letsencrypt.org/.

Prerequisites

  • Public IP
  • A domain name pointing to the public IP address
  • Allow LetsEncrypt backend in your RapidMiner reverse proxy (rapidminer-proxy:9.8 or above)

How it works

During initial configuration, the proxy must listen on port TCP/80 to allow Let’s Encrypt to communicate with the Certbot. Once the certificate is issued, port 80 can be closed, but during certificate renewal the port needs to be opened again.

To obtain a certificate for a domain, you have to prove that you control the domain.

To do that, you first have to create/update your domain on your DNS server (or DNS provider) to point to the public IP address of the host for which the certificate should be obtained.

DNS records are cached by other DNS servers so you have to verify that the changes are applied:

nslookup <your.domain.com> --server 8.8.8.8

The above command should return the public IP address of your host.

Please note that by design Letsencrypt certificates are valid only for a few months, but can be renewed without human interaction.

The container itself can be used to obtain a certificate and then stopped, but because of the renewals we suggest including it as part of your deployment. The process below describes this scenario.

To allow LetsEncrypt backend in your RapidMiner reverse proxy you have to set the following environment variables in your .env file. LE_BACKEND is the (internal) URL for the letsencrypt container:

ALLOW_LE=true
LE_BACKEND=http://letsencrypt-svc:84/

To set your email address, provide the WEBMASTER_MAIL environment variable for the letsencrypt container.

This settings turns on a location in the proxy that will forward the .well-known/acme-challenge requests to the letsencrypt container, so the domain validation at the first time and when renewing the certificated can be done through the RapidMiner proxy.

The Certbot application in this scenario is used in webroot authenticator mode, which starts a webserver on port 80 inside the letsencrypt container and places some secret into a folder under .well-known/acme-challenge. That secret sould be publicly accessed from the internet. When you request a certificate or you renew one, a domain validation process is started automatically. At this point LetsEncrypt sends a request for the secret under your domain name and in case it receives the right response, your domain is validated and Certbot obtains the certificate for you.

To do that, we open a shell to the container -- replace docker_letsencrypt-svc_1 by your container name:

docker exec -it docker_letsencrypt-svc_1 bash

The certification request can be started by executing a script. Replace <your-domain.com> by your domain name:

/usr/local/bin/init_a_domain.sh <your-domain.com>

The Certbot will ask you to share your email address.

If everything was OK, your certificate and key files will appear in the /etc/letsencrypt/live folder. This folder is stored on a volume mount shared with the RapidMiner proxy container, so these files will be immediately available to the proxy.

To configure the proxy to start using this certificate, you have to set the following environment variables in your .env file:

HTTPS_CRT_PATH=/etc/nginx/ssl/live/your-domain.com/fullchain.pem
HTTPS_KEY_PATH=/etc/nginx/ssl/live/your-domain.com/privkey.pem
HTTPS_DH_PATH=/etc/nginx/ssl/dhparam.pem

Then restart the proxy.

Certificates can be obtained to one or more domains or subdomain, in case you need more than one domain to be certified.

Renew the certificates

The certificates can be renewed automatically by scheduling a command on your docker host:

(replace docker_letsencrypt-svc_1 accordind to your container name)

docker exec -it docker_letsencrypt-svc_1 /usr/bin/certbot renew

To make sure, that the proxy is picked up the possible certificate change, we send a reload signal to the rm-proxy-svc

docker exec -it docker_rm-proxy-svc_1 /usr/sbin/nginx -s reload

Example crontab entry to check renewal daily at 3 AM ( /var/spool/cron/crontabs/root )

0 3 * * * docker exec -it rapidminer_letsencrypt-svc_1 /usr/bin/certbot renew &>> /var/log/le_renew.log && docker exec -it rapidminer_rm-proxy-svc_1 /usr/sbin/nginx -s reload &>> /var/log/le_renew.log
Privacy Policy © 2024 Altair Engineering Inc. All Rights Reserved. We are currently listed on Nasdaq as ALTR.