Setting up Let's Encrypt for SSL on a Matillion ETL Instance

This article describes the steps on setting up Let's Encrypt on a Matillion ETL instance so that the SSL certificate provisioned by Let's Encrypt can be used with Matillion ETL. In a default deployment, Matillion ETL uses a self-signed SSL certificate. When using a self-signed SSL certificate, most modern browsers will warn that the self-signed SSL certificate isn't valid. Using an SSL certificate provisioned via Let's Encrypt will be recognized as a valid SSL certificate.

Let's Encrypt client

Let's Encrypt requires for a client application to be installed. The purpose of the client is to provision SSL certificates and renew the SSL certificates that have been provisioned. Let's Encrypt supports various clients, but it's recommend to use Certbot, which is what will be used here.

Prerequisites

A virtual machine (AWS/Azure/GCP) that's running Matillion ETL.
The Security Group/Firewall Rules on the Matillion ETL virtual machine (VM) allows inbound over port 80 (HTTP) from anywhere.
- It's recommended that Matillion ETL is additionally configured to disable HTTP and allow HTTPS only. Refer to the Admin Menu topic for more information.
The Matillion ETL VM has a public IP address that's associated to a DNS name.

Install Certbot on a Matillion ETL virtual machine

The following steps are based on the installation instructions documented here:

SSH on to the Matillion ETL virtual machine.

Install snapd:

sudo yum install epel-release

epel-release is typically already installed on Matillion ETL instances. Run this command to confirm it's installed and of the latest version.

sudo yum install snapd

sudo systemctl enable --now snapd.socket
sudo ln -s /var/lib/snapd/snap /snap

sudo snap install core
sudo snap refresh core

Install Certbot:

sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

Generate a Let's Encrypt SSL certificate and configure Matillion ETL to use it

Certbot supports 2 methods for provisioning an SSL certificate. The method that will be used here requires for the Matillion service (tomcat) to be stopped while provisioning an SSL certificate. Currently, it's unknown if the other method (where the Matillion service is running) can be used on a Matillion ETL instance.

SSH on to the Matillion ETL virtual machine.
Stop the Matillion service (Tomcat):
```
sudo service tomcat stop
```
Stop the iptables service:
```
sudo service iptables stop
```
Run Certbot:
```
sudo certbot certonly --standalone
```
- Enter an email address to use when prompted.
- Accept the Terms of Service.
- Opt in or out of sharing your email address.
- Enter the DNS domain associated to the Matillion ETL VM, for example: matillion.mycompany.com.
- When run successfully, the new SSL certificates will be located under: /etc/letsencrypt/live/[domain name].
Change the ownership of the SSL certificate files to be owned by the tomcat user:
```
sudo chown -R tomcat:tomcat /etc/letsencrypt
```

Backup the default self-signed SSL certificates that come with Matillion ETL:

sudo mv /etc/tomcat/localhost.key /etc/tomcat/localhost.key.orig
sudo mv /etc/tomcat/localhost.crt /etc/tomcat/localhost.crt.orig

Create a symbolic link that references the Let's Encrypt SSL certificate files:

sudo ln -s /etc/letsencrypt/live/[your-matillion-domain]/privkey.pem /etc/tomcat/localhost.key
sudo chown -h tomcat:tomcat /etc/tomcat/localhost.key
sudo ln -s /etc/letsencrypt/live/[your-matillion-domain]/fullchain.pem /etc/tomcat/localhost.crt
sudo chown -h tomcat:tomcat /etc/tomcat/localhost.crt

Start the iptables service:
```
sudo service iptables start
```
Start the Matillion service (Tomcat):
```
sudo service tomcat start
```
Validate that the new SSL certificate is now being used.
1. In a web browser, navigate to the Matillion ETL login screen over HTTPS. For example: https://matillion.mycompany.com
2. Confirm in the web browser that there is now a padlock icon in the browser URL bar.

Renew the Let's Encrypt SSL certificate

SSL Certificates provisioned from Let's Encrypt expire after 90 days. The following steps detail how to renew SSL certificates that are provisioned using the Let's Encrypt and Certbot. Similar to the previous steps on initially provisioning the SSL certificate, the Matillion ETL service (Tomcat) must be stopped when renewing SSL certificates.

SSH on to the Matillion ETL virtual machine.
Stop the Matillion service (Tomcat):
```
sudo service tomcat stop
```
Stop the iptables service:
```
sudo service iptables stop
```
Renew the SSL certificate using Certbot:
```
sudo certbot renew --force-renewal
```
Update the ownership of the SSL certificate files to be owned by the tomcat user:
```
sudo chown -R tomcat:tomcat /etc/letsencrypt
```
Start the iptables service:
```
sudo service iptables start
```
Start the Matillion service (Tomcat):
```
sudo service tomcat start
```

Revert Matillion ETL to use self-signed SSL Certificates

The following steps detail how to revert back to using the default self-signed SSL certificate that comes with a standard Matillion ETL deployment. These steps assume that a backup of the self-signed SSL certificates were made as per Step 6 in the above section: Generate a Let's Encrypt SSL Certificate and Configure Matillion ETL to use it

SSH on to the Matillion ETL virtual machine.
Stop the Matillion service (Tomcat):
```
sudo service tomcat stop
```
Delete the symbolic links that reference the Let's Encrypt SSL certificate files:
```
sudo rm /etc/tomcat/localhost.key
sudo rm /etc/tomcat/localhost.crt
```

Restore the self-signed certificate files:

sudo cp /etc/tomcat/localhost.key.orig /etc/tomcat/localhost.key
sudo chown tomcat:tomcat /etc/tomcat/localhost.key
sudo cp /etc/tomcat/localhost.crt.orig /etc/tomcat/localhost.crt
sudo chown tomcat:tomcat /etc/tomcat/localhost.crt

Start the Matillion service (Tomcat):
```
sudo service tomcat start
```