TL;DR: Compose Elasticsearch and RabbitMQ deployments are being offered an upgrade to easier, more reliable Let's Encrypt security certificate-backed connections.
We've just begun rolling out a new way of securing your connections to Compose databases using Let's Encrypt certificates. This will make using TLS/SSL database connections simpler and more trusted than ever before.
sidenote-right Let's Encrypt certificates are only, currently available on Compose. Compose Enterprise continues to use self-signed certificates for effective management within organizations.
Compose has, up until now, used a self-signed verification certificate for TLS/SSL connections. The public part of the self-signed certificate was given to you to implement verification. Because it was self-signed, those steps could, in some cases, be quite involved. This meant that developers had a choice - write the additional verification steps or skip verification and expose themselves to man-in-the-middle attacks.
We knew there had to be a better way and the arrival of Let's Encrypt meant we could start looking at generating trusted, verifiable TLS/SSL certificates for every Compose database host and implementing the changes needed to make that work. That includes new host names for all nodes too so we can use SNI, Server Name Indication to ensure you are getting the right certificate for your database's access portals. Where connections previously went to
*.dblayer.com addresses, they will now go to unique
Now, we have begun the process of rolling out those changes on a database by database basis. First up are RabbitMQ and Elasticsearch. Users of these databases on Compose can switch over to this new scheme right now. New deployments of RabbitMQ and Elasticsearch will have the Let's Encrypt scheme only.
Migrating to Let's Encrypt certificates
Visiting the Compose console's Deployment Overview for your RabbitMQ or Elasticsearch database deployment will offer you the option to upgrade:
Let's just look at that...
Install Let's Encrypt Certificate Your deployment is capable of utilizing SSL certificates signed by Let's Encrypt. By clicking the button below, our system will configure a new connection endpoint to be used by your application(s) for SSL connectivity. We recommend that you make a record of your current connection strings in case you need to refer to them when migrating to the new Let's Encrypt configuration.
All of this is important. When you upgrade, while the old connection strings will work, they will not be displayed in the console. This, for example, is what the connection strings on a RabbitMQ deployment look like beforehand.
Remember, also, if you are verifying your connection – and you should be – you will also want to make a copy of the
SSL Certificate (Self-Signed). Once you've archived all that, then you'll be ready to click Install. The system will run a job to update and when you return to the Deployment Overview, you will see new connection strings with
.composedb.com addresses, something like this:
RabbitMQ has a web accessible admin user interface which is listed in the second panel. You can copy the URL and open it in another browser window or just click the Open button to open it in a new tab. When it opens, unlike before, you won't be asked to trust a self-signed certificate to move on. Instead, you'll be connected immediately and be ready to log in. If you look in the address bar, you'll see a green padlock and clicking on it will reveal details of your connection's security:
And if you want to follow the details link, you can find out more about how the connection is secured:
And if you really want to, you can dig into the certificate and see who's validating it:
We can carry on, logging in, safe in the knowledge that our connection is secure. The next stop is connecting our applications.
If you have any feedback about this or any other Compose article, drop the Compose Articles team a line at firstname.lastname@example.org. We're happy to hear from you.