Using 'lets encrypt' for certificates
1,188 views
Skip to first unread message
Rob Pollock
Apr 24, 2016, 11:50:43 PM4/24/16
to Project Jupyter
Hi,
I'm trying to set up jupyter on a remote server, using https.
I have done this with no problems (other than security warnings in my browsers) by using a self-signed certificate, as described.
I was hoping to get around this by setting up a proper certificate (that you can do for free via let's encrypt). This is all well and good, except that I couldn't get it to work.
I don't know very much about how certificate authorities work, but there is a project known as Automatic Certificate Management Environment (ACME). This is what letsencrypt uses. It seems there is some sort of process whereby a plugin has to be written to enable proper authorization.
In any case, it could be impossible to use this with jupyter (at the moment). But there are a number of scripts that people have written to interact with ACME, so it might not be impossible to set up if you know what you're doing.
Just putting it out there in case someone can write something so it's possible to use https properly/inexpensively with jupyter.
Regards,
Rob.
Rob Pollock
May 2, 2016, 5:44:16 PM5/2/16
to Project Jupyter
The problem was the way that I set up my certificates... it works fine with tornado (the web server that's used with jupyter).
Basically, you just use the "fullchain.pem" (from let's encrypt) as your "certfile" and "privkey.pem" as you key.
Pretty obvious really, no different to using a self-signed certificate. I was just getting hung up over the 'c.NotebookApp.client_ca' option... I put path to "fullchain.pem" there and tried to use "cert.pem" as my certfile. To be honest, given the naming scheme it makes sense, however posts on the letsencrypt forum set me straight.
Just in case someone else has this issue.
The cool thing is with letsencrypt you can access your (jupyter) notebook from anywhere, and since the certificate is in a signed keychain authority, browsers don't complain.
Carol Willing
May 2, 2016, 6:38:47 PM5/2/16
to Project Jupyter, Rob Pollock
Hi Rob,
Thanks for sharing your tips with all of us. I’ve opened a PR to
document “Using Let’s Encrypt”. If you have time to review it, I
would appreciate it.
https://github.com/jupyter/notebook/pull/1417
Thanks,
Carol
Carol Willing
Research Software Engineer, Project Jupyter @ Cal Poly
Director, Python Software Foundation
Thanks for sharing your tips with all of us. I’ve opened a PR to
document “Using Let’s Encrypt”. If you have time to review it, I
would appreciate it.
https://github.com/jupyter/notebook/pull/1417
Thanks,
Carol
Carol Willing
Research Software Engineer, Project Jupyter @ Cal Poly
Director, Python Software Foundation
Rob Pollock
May 2, 2016, 7:29:54 PM5/2/16
to Carol Willing, Project Jupyter
Hi Carol,
I had a look at what you wrote and it seems to follow what I did pretty well, so it should be fine for people to follow.
One thing regarding letsencrypt is that, after installing the letsencrypt client you can just run `letsencrypt certonly` at the command line (as root, on linux). Then the script produces the certificates in a default location, and you can then refer to that location in the jupyter config file, or copy the certificates to an appropriate location.
I'm not sure happens if you can't login as root or what you do if you're running on windows (should still work I suspect). But if you have root access, and you own the domain name (and you're running letsencrypt from the host with that domain name!), it works very straightforwardly.
Maybe it would be a good idea to investigate what happens if you're not root, and what to do if you don't own the domain name. Probably talk nicely to your local system administrator (as would advisable in any case).
Best Wishes
Rob.
Denis Akhiyarov
Aug 25, 2016, 1:41:00 PM8/25/16
to Project Jupyter, will...@gmail.com
How do I setup jupyter notebook public server using let's encrypt on Windows? I have zero knowledge about DNS, certbot, IIS.
the problem is that certbot does not work on Windows and there are plenty of unofficial clients for Windows.
Fernando Perez
Aug 25, 2016, 2:42:01 PM8/25/16
to Project Jupyter, will...@gmail.com
On Thu, Aug 25, 2016 at 10:41 AM, Denis Akhiyarov <denis.a...@gmail.com> wrote:
How do I setup jupyter notebook public server using let's encrypt on Windows? I have zero knowledge about DNS, certbot, IIS.the problem is that certbot does not work on Windows and there are plenty of unofficial clients for Windows.
The official way to support public servers for Jupyter is with JupyterHub, and JHub is *nix-only at this time (and we currently have no plans/resources to support Windows on the server side). Running a single-user notebook publicly was a temporary hack before we had JHub, and we don't really consider that an ideal configuration moving forward, I'm afraid. For one thing, you need to be aware that in this mode, all users who log in will share the same user, which is highly sub-optimal.
I've opened an issue to clarify this in our docs:
We try hard to support the *single user* notebook on Windows. But the multi-user server would be a complex effort to port to the Windows server architecture, that nobody on the team is familiar with or uses regularly. I want to make it clear that we don't have anything against Windows usage/deployment, so this is simply a reality of our resources, expertise, and the technical differences between Windows and *nix platforms for a server deployment.
Sorry about that, but this isn't likely to change any time soon.
Best,
f
--
Fernando Perez (@fperez_org; http://fperez.org)
fperez.net-at-gmail: mailing lists only (I ignore this when swamped!)
fernando.perez-at-berkeley: contact me here for any direct mail
fperez.net-at-gmail: mailing lists only (I ignore this when swamped!)
fernando.perez-at-berkeley: contact me here for any direct mail
Denis Akhiyarov
Aug 25, 2016, 4:20:21 PM8/25/16
to Project Jupyter
Yep, we Windows users understand situation with jupyterhub, hopefully docker or linux subsystem on windows 10 would solve these problems in the future.
Anyway openssl works fine on Windows and let's encrypt is not necessary:
--
You received this message because you are subscribed to a topic in the Google Groups "Project Jupyter" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jupyter/XpLs5WH3_fw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jupyter+unsubscribe@googlegroups.com.
To post to this group, send email to jup...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jupyter/CAHAreOqpcKa1-Fra3xXD90-ejEwVmz8vtE103NapkASOupDtqQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Denis Akhiyarov
Aug 25, 2016, 6:13:27 PM8/25/16
to Project Jupyter
and here is the first issue with linux subsystem on windows 10:
Fernando Perez
Aug 25, 2016, 6:53:44 PM8/25/16
to Project Jupyter
On Thu, Aug 25, 2016 at 1:20 PM, Denis Akhiyarov <denis.a...@gmail.com> wrote:
Yep, we Windows users understand situation with jupyterhub, hopefully docker or linux subsystem on windows 10 would solve these problems in the future.What I do not understand is that can't regular jupyter notebook server be configured to spawn a new notebook server for each new remote login?
Well, from a development perspective, that would be basically starting to add bits and pieces of JHub to the single-user notebook. It just adds complication and muddies the waters between the role of the single-user server and the role of the highly flexible, multi-user one.
We have limited resources and already an explosion of complexity to manage in the project, so we try to keep some of that contained by drawing these boundaries. Sorry if in some cases it does create certain limitations.
cheers,
Reply all
Reply to author
Forward
0 new messages