Using Certbot and Let’s Encrypt for HTTPS in pump.io¶
After you have set up pump.io - but before you staring interacting with other servers or clients - it’s a good idea to set up TLS (HTTPS), which prevents others from reading or tampering with users’ private data. It also helps keep the overall pump.io network secure since other servers can deliver activities over TLS, giving their users the same confidentiality and integrity guarantees. Changing ports or from HTTP to HTTPS after interacting with other servers or clients can cause problems. The npm-based install instructions talk about other changes that may also cause problems.
Let’s Encrypt is an automated Certificate Authority which will issue TLS certifiates for free. This document will show you how to set up Certbot, a popular Let’s Encrypt client, to acquire and automatically renew Let’s Encrypt certificates.
Note
These instructions do not work with Docker images.
First, install Certbot. Your GNU/Linux distribution may already have it packaged for easy installation, or you may need to do that yourself - either way, the Certbot website will tell you how to get it installed.
Once Certbot is installed run this command, inserting your actual email address and domain names:
$ certbot certonly --email user@host.root --webroot -w /usr/lib/node_modules/pump.io/public/ -d domain.tld,www.domain.tld
The email address provided will receive notifications when the certificate is due to expire which can be helpful as a reminder.
Note that /usr/lib/node_modules/pump.io/
is usually where npm
installs pump.io when you use an npm-based installation. If your setup
is different, provide the full path to your pump.io installation, plus
/public/
at the end.
Next, edit your pump.io configuration (for example,
/etc/pump.io.json
if you’re using a JSON file for configuration) and be sure that it contains these
settings (again replacing domain.tld
with your production domain):
"hostname": "domain.tld",
"key": "/etc/letsencrypt/live/domain.tld/privkey.pem",
"cert": "/etc/letsencrypt/live/domain.tld/fullchain.pem",
"port": 443,
"bounce": true,
"hsts": true,
Restart the pump.io software. Congratulations, you should now have TLS working!
To automate renewals you can make a cron job or systemd timer that
runs certbot renew
. That should take care of renewing the
certificate but the email address provided during the initial setup
can be helpful as a fallback method in case something happens. The
pump.io software should also be restarted once the certificate is
renewed. This can be accomplished with zero-downtime restarts and Certbot pre/post
validation hooks.
For more on certbot renew
, consult the Certbot documentation.