clickhouse-docs icon indicating copy to clipboard operation
clickhouse-docs copied to clipboard

Published 20 hours ago verified publisher icon ClickHouse

Documentation: how to enable SSL with Let's Encrypt on a single ClickHouse server

Open alexey-milovidov opened this issue 1 year ago • 0 comments

Make sure you have a DNS A or AAAA record pointing to your server.

Validate it with:

dig @1.1.1.1 yourdomain.example.com

Open port 80 on your server. This port will be used for automatic certificate renewal using the ACME protocol, with certbot.

If you use AWS and EC2 machine, you should go to "Security groups" and open port 80 for inbound connections.

Install certbot and obtain the SSL certificate:

sudo apt install certbot
sudo certbot certonly

Configure clickhouse-server to work with HTTPS:

Copy certificates to the ClickHouse directory and put it to cron:

echo '* * * * * root cp -u /etc/letsencrypt/live/yourdomain.example.com/*.pem /etc/clickhouse-server/ && chown clickhouse:clickhouse /etc/clickhouse-server/*.pem && chmod 400 /etc/clickhouse-server/*.pem' | sudo tee /etc/cron.d/copy-certificates

Configure their usage in clickhouse-server:

echo "
https_port: 8443
openSSL:
  server:
    certificateFile: '/etc/clickhouse-server/fullchain.pem'
    privateKeyFile: '/etc/clickhouse-server/privkey.pem'
    disableProtocols: 'sslv2,sslv3,tlsv1,tlsv1_1'
" | sudo tee /etc/clickhouse-server/config.d/ssl.yaml

sudo clickhouse restart

Validate with:

curl https://yourdomain.example.com:8443/

alexey-milovidov avatar Jun 30 '24 20:06 alexey-milovidov