-
Notifications
You must be signed in to change notification settings - Fork 1
HTTPS TLS Certificate
🇫🇷 Cette page est également disponible en français : fr_HTTPS-TLS-Certificate
VIVO is served exclusively over HTTPS (port 443). This page explains how the TLS certificate is provisioned and what to expect.
Starting with image version 1.0.11, the VM automatically obtains a trusted TLS certificate via Let's Encrypt during the first boot.
How it works:
- At first boot, nginx starts with a temporary self-signed certificate.
- The VM automatically runs
certbot --nginxagainst the Azure-assigned FQDN:{projectName}-{uniqueHash}.{region}.cloudapp.azure.com - Certbot completes the ACME HTTP-01 challenge on port 80 (open by default).
- Nginx is automatically reconfigured and reloaded with the trusted certificate.
- Automatic renewal is enabled (every 90 days).
No manual action required. The certificate is provisioned automatically in the background during first boot (~2–5 minutes).
Once VIVO is accessible, check that the certificate is valid:
# From the VM
sudo certbot certificates
# Expected output:
# Found the following certs:
# Certificate Name: vivo-xxxx.canadacentral.cloudapp.azure.com
# Domains: vivo-xxxx.canadacentral.cloudapp.azure.com
# Expiry Date: 2026-06-05 (VALID: 89 days)
# Certificate Path: /etc/letsencrypt/live/.../fullchain.pemOr from your browser: click the padlock icon → Certificate → verify the issuer is Let's Encrypt.
If certbot fails during first boot (e.g. DNS propagation delay, Let's Encrypt rate limit), nginx falls back to the self-signed certificate generated at image build time.
Symptom: Firefox/Chrome displays a security warning for the IP address or FQDN.
Workaround (testing only): Click Advanced → Accept the risk and continue to access VIVO.
Fix: SSH into the VM and run certbot manually (see below).
If auto-provisioning failed, the recommended way to re-provision from your workstation is:
make certbot IP=<vm-public-ip> FQDN=<fqdn> EMAIL=<your@email.com> SSH_KEY=~/.ssh/your-key.pemThis command SSHes into the VM, runs certbot --nginx, and enables certbot.timer for automatic renewal.
Alternatively, SSH directly into the VM and run certbot manually after verifying that port 80 is reachable:
# Replace with your actual FQDN (see Azure Portal → VM → DNS name)
FQDN="vivo-xxxx.canadacentral.cloudapp.azure.com"
sudo certbot --nginx \
-d "${FQDN}" \
--non-interactive \
--agree-tos \
--email "your@email.com" \
--redirectVerify nginx reloaded:
sudo nginx -t && sudo systemctl reload nginx
sudo certbot certificatesCertificates issued by Let's Encrypt expire every 90 days and are renewed automatically.
Check the renewal timer:
systemctl status certbot.timer
# or
sudo certbot renew --dry-runIf certbot.timer is not present (older Ubuntu versions), a cron job at /etc/cron.d/certbot handles renewal.
# VM initialization log (includes certbot output)
sudo grep -i certbot /var/log/vivo-first-boot.log
# Certbot full log
sudo tail -50 /var/log/letsencrypt/letsencrypt.logIf your institution provides its own TLS certificate, replace the nginx certificate files:
# Copy your cert and key to the VM
scp your-cert.pem azureuser@<public-ip>:/tmp/
scp your-key.pem azureuser@<public-ip>:/tmp/
# On the VM
sudo cp /tmp/your-cert.pem /etc/nginx/ssl/vivo.crt
sudo cp /tmp/your-key.pem /etc/nginx/ssl/vivo.key
sudo chmod 644 /etc/nginx/ssl/vivo.crt
sudo chmod 600 /etc/nginx/ssl/vivo.key
sudo nginx -t && sudo systemctl reload nginxTo prevent certbot from overwriting your certificate, disable the renewal timer:
sudo systemctl disable --now certbot.timer
Getting Started
Configuration
Using VIVO
Help
Démarrage
Configuration
Utiliser VIVO
Aide