Arriving now on Compose - Let's Encrypt TLS Certificates

TL;DR: Compose Elasticsearch and RabbitMQ deployments are being offered an upgrade to easier, more reliable Let's Encrypt security certificate-backed connections.

We've just begun rolling out a new way of securing your connections to Compose databases using Let's Encrypt certificates. This will make using TLS/SSL database connections simpler and more trusted than ever before.

Compose has, up until now, used a self-signed verification certificate for TLS/SSL connections. The public part of the self-signed certificate was given to you to implement verification. Because it was self-signed, those steps could, in some cases, be quite involved. This meant that developers had a choice - write the additional verification steps or skip verification and expose themselves to man-in-the-middle attacks.

We knew there had to be a better way and the arrival of Let's Encrypt meant we could start looking at generating trusted, verifiable TLS/SSL certificates for every Compose database host and implementing the changes needed to make that work. That includes new host names for all nodes too so we can use SNI, Server Name Indication to ensure you are getting the right certificate for your database's access portals. Where connections previously went to *.dblayer.com addresses, they will now go to unique *.composedb.com addresses.

Now, we have begun the process of rolling out those changes on a database by database basis. First up are RabbitMQ and Elasticsearch. Users of these databases on Compose can switch over to this new scheme right now. New deployments of RabbitMQ and Elasticsearch will have the Let's Encrypt scheme only.

Migrating to Let's Encrypt certificates

Visiting the Compose console's Deployment Overview for your RabbitMQ or Elasticsearch database deployment will offer you the option to upgrade:

Deployment upgrade

Let's just look at that...

Install Let's Encrypt Certificate

Your deployment is capable of utilizing SSL certificates  
signed by Let's Encrypt. By clicking the button below, our system  
will configure a new connection endpoint to be used by your  
application(s) for SSL connectivity. We recommend that you make a  
record of your current connection strings in case you need to  
refer to them when migrating to the new Let's Encrypt configuration.  

All of this is important. When you upgrade, while the old connection strings will work, they will not be displayed in the console. This, for example, is what the connection strings on a RabbitMQ deployment look like beforehand.

Old Connection Strings

Remember, also, if you are verifying your connection – and you should be – you will also want to make a copy of the SSL Certificate (Self-Signed). Once you've archived all that, then you'll be ready to click Install. The system will run a job to update and when you return to the Deployment Overview, you will see new connection strings with .composedb.com addresses, something like this:

New Connection Strings

RabbitMQ has a web accessible admin user interface which is listed in the second panel. You can copy the URL and open it in another browser window or just click the Open button to open it in a new tab. When it opens, unlike before, you won't be asked to trust a self-signed certificate to move on. Instead, you'll be connected immediately and be ready to log in. If you look in the address bar, you'll see a green padlock and clicking on it will reveal details of your connection's security:

Padlock Click

And if you want to follow the details link, you can find out more about how the connection is secured:

Details details

And if you really want to, you can dig into the certificate and see who's validating it:

To the Root

We can carry on, logging in, safe in the knowledge that our connection is secure. The next stop is connecting our applications.


If you have any feedback about this or any other Compose article, drop the Compose Articles team a line at articles@compose.com. We're happy to hear from you.