Sign in Subscribe
4 min read Getting Started

How to add a SSL Certificate to Directus

SSL certificates are vital to securing your data by encrypting all traffic between the client and your server. In this article I'll cover how you can add a Let's Encrypt certificate or Paid certificates to Directus. This assumes you are using linux and have root access and have a domain name already pointing to your server.

To add an SSL certificate to Directus you will need a proxy like Nginx, then you can run certbot to generate a certificate. Certbot will automatically add the configuration.

If you haven't already set up Nginx, use my article below to set this up first.

Set up Directus in Nginx
Use this template to configure Nginx and access Directus on your domain name.
Learn DirectusTim Butterfield

Using Let's Encrypt (Free)

Now that you have Nginx installed and configured, you'll need to set up certbot.

Step 1: Install snapd using the relevant command below.

sudo yum install snapd
sudo dnf install snapd
sudo apt-get install snapd

Step 2: Update the snapd core to the latest version by running this:

sudo snap install core; sudo snap refresh core

Step 3: Install certbot using snap

sudo snap install --classic certbot

Step 4: Create symlink for certbot in your systems path so it can be run without needing the path.

sudo ln -s /snap/bin/certbot /usr/bin/certbot

Step 5: Run the following command to automatically edit you nginx configuration with the paths to the certificates.

sudo certbot --nginx

This command will create a token on your server, then attempt to reach the token from the web address. If valid, a certificate will be created.

Lastly, create a cron job to run the following command daily or weekly to renew your certificate.

sudo crontab -e

Copy and paste the line below into the edit then save and close. For this unfamiliar with the vim editor, press ESC to exit the Insert mode, then type :wq (the colon is required). Press ENTER write (w) and quit (q).

0 0 * * * certbot renew

This will try and renew the certificate at midnight every day. The certificate will only renew closer to the expiry date. Running the command frequently ensures it renews before it expires.

The certbot website has a more comprehensive guide if you prefer.

Certbot
Tagline
EFF

The intructions are very helpful, all you need to do is select Nginx as the Software and your operating system from the list.

example of user input

Using Paid Certificates

There are 3 types of certificates, Extended Validation (EV SSL), Organization Validated (OV SSL) and Domain Validated (DV SSL). They all have the same level of encryption, but have different levels of verification. This changes the padlock symbol on your browser from the standard green to a big box with your company name inside. This is very important for enterprise level companies or University's to reassure they are using the official website and not a copycat. If you prefer to pay for a certificate, here are some providers with premium options.

When you are given your certificates, you need to upload them to your website host. Add them to a memorable location such as /etc/ssl/

It's also worth creating a dhparam file. This makes it significantly harder for hackers to decipher your encryptions if they somehow get hold of your private key.

cd /etc/ssl/
openssl dhparam -out ffdhe4096.pem 4096

Here is the recommended Nginx configuration for securing your website. Make sure to change domain.crt and domain.key to your new certificates.

# Certificate(s) and private key
  ssl_certificate /etc/ssl/domain.crt;
  ssl_certificate_key /etc/ssl/domain.key;

  # RFC-7919 recommended: https://wiki.mozilla.org/Security/Server_Side_TLS#ffdhe4096
  ssl_dhparam /etc/ssl/ffdhe4096.pem;

  ssl_protocols TLSv1.3 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_ecdh_curve secp521r1:secp384r1;
  ssl_ciphers EECDH+AESGCM:EECDH+AES256;

  ssl_session_cache shared:TLS:2m;
  ssl_buffer_size 4k;

  # OCSP stapling
  ssl_stapling on;
  ssl_stapling_verify on;
  resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]; # Cloudflare

  # Set HSTS to 365 days
  add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;

Test and restart Nginx to apply changes.

nginx -t
sudo systemctl restart nginx

Conclusion

You now have an SSL certificate encrypting all you data in Directus. It's important not to share your SSL certificates with anyone and store them safely. If you found this useful, subscribe by adding your email address below and I can share any new articles with you.

Keen to know more?

Check out these SSL/TLS resources on Amazon, there are usually some great deals.

Published by:

Tim Butterfield

You might also like...

Feb
16
Where can I find the API Reference?

Where can I find the API Reference?

The Directus API Reference is a powerful document that shows us the different ways we can query the API, including filters and pagination.
2 min read
Feb
13
What is the URL for Images?

What is the URL for Images?

Rather than link to the images directly, you can use Directus to deliver images to your application with ease and security. Best of all, you can optimize images for web using the built in parameters.
2 min read
Feb
09
How to Configure the Mailservice

How to Configure the Mailservice

Adding a mail service to Directus is very important, without this configured, user's will not receive any emails from Directus including password reset tokens.
2 min read
Feb
07
How to create an API Key

How to create an API Key

You can create a new API key in the User Directory. Here you can generate a token and assign a role for the permissions.
2 min read
Feb
02
Authenticate with a Token

How to use API Authentication

Every API is different when it comes to Authentication but in Directus, all you need is a Bearer token.
3 min read

By continuing to use our website, you consent to use essential cookies. We also use optional tracking cookies which help us gather statistics to improve our services. Do you consent to these cookies?

I Consent Do not track