This document describes the process for using an ELB with HTTPS/SSL enabled. You will need certificates for the ELB and CircleCI Server, covered in the following sections:
- Setting up ELB Certificates
- Setting up TLS/HTTPS on CircleCI Server
Setting up ELB Certificates
CircleCI requires the following steps to get ELB (Elastic Load Balancing) certificates working as your primary certs. The steps to accomplish this are below.
Note: Opening the port for HTTP requests will allow CircleCI to return a HTTPS redirect.
- Open the following ports on your ELB:
|Load BalancerProtocol||Load Balancer Port||Instance Protocol||Instance Port||Cipher||SSL Certificate|
- Add the following security group on your ELB:
Note: The sources below are left open so that anybody can access the instance over these port ranges. If that is not what you want, then feel free to restrict them. Users will experience reduced functionality if your stakeholders are using IP addresses outside of the Source Range.
|Custom TCP Rule||TCP||8800||0.0.0.0|
|Custom TCP Rule||TCP||64535-65535||0.0.0.0|
Next, in the management console for CircleCI, upload a valid certificate and key file to the
PrivacySection. These don’t need to be externally signed or even current certs as the actual cert management is done at the ELB. But, to use HTTPS requests, CircleCI requires a certificate and key in which the “Common Name (FQDN)” matches the hostname configured in the admin console.
It is now possible to set your Github Authorization Callback to
Setting up TLS/HTTPS on CircleCI Server
You may use various solutions to generate valid SSL certificate and key file. Two solutions are provided below.
This section describes setting up TLS/HTTPS on your Server install using Certbot by manually adding a DNS record set to the Services machine. Certbot generally relies on verifying the DNS record via either port 80 or 443, however this is not supported on CircleCI Server installations as of 2.2.0 because of port conflicts.
Stop the Service from within the Replicated console (hostname:8800).
SSH into the Services machine.
Install Certbot and generate certificates using the following commands:
sudo apt-get update sudo apt-get install software-properties-common sudo add-apt-repository ppa:certbot/certbot sudo apt-get update sudo apt-get install certbot certbot certonly --manual --preferred-challenges dns
You’ll be instructed to add a DNS TXT record.
After the record is successfully generated, save
If you’re using Route 53 for your DNS records, adding a TXT record is straightforward. When you’re creating a new record set, be sure to select type -> TXT and provide the appropriate value enclosed in quotes.
Using Self-Signed Certificates
Because the ELB does not require a current certificate, you may choose to generate a self-signed certificate with an arbitrary duration.
Generate the certificate and key using openssl command
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 1 -out certificate.pem
Provide the appropriate information to the prompts. NOTE: The Common Name provided must match the host configured in CircleCI.
Save the certificate.pem and key.pem file locally.
Adding the certificate to CircleCI Server
Once you have a valid certificate and key file in pem format, you must upload it to CircleCI Server.
To do so, navigate to
Under “Privacy” section, check the box for “SSL only (Recommened)”
Upload your newly generated certificate and key.
Click “Verify TLS Settings” to ensure everything is working.
Click “Save” at the bottom of the settings page and restart when prompted.
Ensure the hostname is properly configured in the Replicated/management console ~ (hostname:8800/settings) and that the hostname used matches the DNS records associated with the TLS certificates.
Make sure the Auth Callback URL in Github/Github Enterprise matches the domain name pointing to the services box, including the protocol used, for example https://info-tech.io/.