Skip to content

SSL/TLS

Enabling SSL

Securing your communication with SSL is essential for both data protection and user trust. Here's how to enable SSL for your deployment across various platforms:

Load Balancers on Major Cloud Providers:

  1. AWS Application Load Balancer (Preferred for AWS): Using an AWS Application Load Balancer (ALB) is our top recommendation for AWS deployments. AWS can manage SSL certificates automatically when using an ALB, providing a seamless, scalable, and secure solution.

    • Deploy an AWS ALB and attach an SSL certificate to it.
    • Ensure the ALB operates at layer 7.
    • Note: Elastic and Classic load balancers are not suitable as they operate on layer 4.
  2. Google Cloud Load Balancing (GCP):

GCP offers HTTPS Load Balancing, which can distribute HTTPS traffic among virtual machine instances in the same region.

- Create an HTTPS load balancer.
- Attach an SSL certificate (either self-managed or from Google-managed certificates).
  1. Azure Application Gateway:

Azure's Application Gateway provides application delivery controller (ADC) as a service. It offers SSL termination, which means the gateway manages the SSL handshake and decryption.

- Create an Azure Application Gateway.
- Configure an HTTPS listener and attach an SSL certificate (either your own or from Azure-managed certificates).
  • Make sure to run the following command, so the application become aware that https is enabled:
    cometctl aio enable-ssl
    

LetsEncrypt:

If you're not bound to a specific cloud provider or prefer an alternative to their Load Balancer solutions, cometctl provides a convenient wrapper for LetsEncrypt:

cometctl aio enable-ssl --letsencrypt

This command sets up SSL using certificates from LetsEncrypt, a widely respected free certificate authority.

Self-Signed Certificates:

Run the following if you choose to use a self-signed certificate:

cometctl aio enable-ssl

Then generate and install your self-signed certificate.

Make sure:

  • All SDK machines recognize and trust the self-signed certificate, either by:
    • Installing the certificate at the OS level.
    • Setting the REQUESTS_CA_BUNDLE. environment variable.

For less secure communications, you can bypass SSL certificate checks in the SDK using:

export COMET_INTERNAL_CHECK_TLS_CERTIFICATE="0"

Note: Disabling SSL checks is not recommended as it exposes your communications to potential threats.

May. 17, 2024