This is my 15th #DaysOfArm article that tracks some of the experiences that I’ve had so far. It’s been a little while since I’ve worked on this series however saying that … much of what I’ve been doing didn’t seem different from any other type of environment.
And just to recap from the first post (here) on June 12 2021.
It’s been just over 2 weeks since the launch of Ampere Arm deployed in Oracle Cloud Infrastructure (OCI). Check this article out to learn more (here). And it’s been about one week since I started looking into the new architecture and deployment, since I started provisioning the VM.Standard.A1.Flex Compute Shape on OCI and since I started migrating a specific application that has many different variations to it to test it all out.
This is my next learning where I looked into Let’s Encrypt to create a set of free certificates for Oracle Cloud Infrastructure A1.Flex VM Instances.
I’ve been looking at some APIs and I needed to start looking into a better solution than self-signed certificates especially one where there are direct API calls from the browser and avoiding the security exception. For these purposes, Let’s Encrypt has been a good option. certbot (here) helps with the creation and the renewal process of these certificates.
What I found though was that most of the options a) didn’t have a Oracle Linux arm64 distribution and b) installing with pip isn’t a preferred method (though it did work).
It is an easy find where there one of the options is to use one of their docker images. If you do try to run the examples, the docker images are not mult-architecture. They do however have separate tags for arm64v8.
And with that and having docker installed it all works out of the box. (as root) …
Step 1. Configure Firewall Access (for 80 and 443).
These ports are used by the bot to create the certificates.
firewall-cmd --add-port 80/tcp --permanent --zone=public firewall-cmd --add-port 443/tcp --permanent --zone=public firewall-cmd --reload
If needs be, open these ports up in the Security List or a Network Security Group to allow ingress traffic on these ports to the VM instance.
Step 2. Create the Certificates.
This will create the certificates that you need to then be able to install. (Update – As soon as I published it, thanks to Avi Miller for pointing an alternate method which works as well and felt easier too).
Option 1 – Using certbot.
mkdir -p /etc/letencrypt mkdir -p /var/lib/letsencrypt docker run -it --rm --name certbot \ -v "/etc/letsencrypt:/etc/letsencrypt" \ -v "/var/lib/letsencrypt:/var/lib/letsencrypt" \ certbot/certbot:arm64v8-latest certonly
Option 2 – Using acme.sh.
This was brought to my attention by Avi Miller. And I’m very thankful for that too. The installation process for acme.sh (here) and pretty simple and doesn’t require docker at all. Issuing the certificates is as simple as this one line and then you can then configure the certificates with your application.
acme.sh --issue --standalone -d <DOMAIN>
The result is a set of proper certificates that can be included in your APIs avoiding the typical self-signed certificate issues.
If you want to try this out yourself or work on your own application, sign-up (here) for the free Oracle Cloud Trial. I’d be interested to hear your experiences and learn from others as well. Leave a comment or contact me at firstname.lastname@example.org if you want to collaborate.
There’s plenty of work to make this more achievable for everyone. And hence sharing this knowledge is the reason why I’m writing this series – #XDaysOfArm. I’ll keep documenting as long as I keep learning.