Connect to your S3 server via HTTPS

The CANedge2 lets you upload data via HTTP or HTTPS. HTTP is simpler to setup/maintain, but if security is a priority you can use HTTPS data transfer.

Note

HTTPS is an advanced topic. Ensure that your HTTP upload works first and read the remote access security section in the CANedge2 Docs before proceeding. The CANedge2 Docs also describe bundled certificates and over-the-air certificate updates

Warning

We recommend that you have physical access to your CANedge2 when testing HTTPS

Warning

Depending on your WiFi/S3 setup, enabling TLS may significantly reduce your upload speed[1]

Below, we provide practical examples of how to enable HTTPS for specific S3 server types:


Enable MinIO server TLS via self-signed certificate

If you run a MinIO server, TLS is disabled by default and you’ll be using a http:// endpoint. To enable TLS on your server, you can follow the MinIO quickstart guide.

Below we use one of the examples from their guide (OpenSSL with IP address on Windows):

  1. Download and extract OpenSSL

  2. Create a new text file named openssl.conf in the folder with the openssl.exe file

  3. Paste below into openssl.conf, update IP.1 to your MinIO endpoint (excl. http:// and port):

    [req]
    distinguished_name = req_distinguished_name
    x509_extensions = v3_req
    prompt = no
    
    [req_distinguished_name]
    C = US
    ST = VA
    L = Somewhere
    O = MyOrg
    OU = MyOU
    CN = MyServerName
    
    [v3_req]
    subjectAltName = @alt_names
    
    [alt_names]
    IP.1 = 127.0.0.1
    
  4. Open the command prompt in the folder and enter the below:

openssl req -x509 -nodes -days 2730 -newkey rsa:2048 -keyout private.key -out public.crt -config openssl.conf
  1. Copy the resulting private.key and public.crt files into C:\Users\[your_user_name]\.minio\certs
  2. Rename the public.crt to certs_server.p7b[2] and copy it to the root of your device SD card
  3. Update your device Configuration File to use https:// in front of the MinIO IP endpoint

Test if the certificate is loaded in the device.json file and if the CANedge2 correctly uploads data. To avoid browser warnings, you can install the self-signed certificate on your PC.


Enable Cloud server TLS by downloading root certificate

For clouds (AWS, Google Cloud, …) you can use below method to enable HTTPS for initial tests.

Warning

Note that the default root CA may change for a cloud endpoint. For production setups we strongly recommend using a custom endpoint & certificate to ensure full control

Note

For AWS S3, we provide a pre-built bundle below - but we recommend reading the full guide

How to download & deploy a certificate

  1. Copy your S3 server [endpoint]/[bucket] into your browser. For AWS, this could e.g. be: https://s3.us-east-1.amazonaws.com/canedge-test-bucket
  2. In Chrome, click the lock-icon next to the URL and click Certificate
  3. In the popup-window, click the Certification Path
  4. Here, select the top root certificate - e.g. DigiCert Baltimore Root in the AWS example
  5. Click View Certificate, go to the Details tab and verify that it is an RSA type (not e.g. ECC)
  6. Click Copy to File, then follow the guide and use the Base64-encoded format
  7. Click Next, then Browse and save the *.cer file and rename it to certs_server.p7b[2]
  8. Save the file to the root of your device SD
  9. Update the Configuration File to use https:// and port 443 in your server details
Download Root Certificate HTTPS TLS 1.2

Important: AWS S3 certificate authority migration

AWS S3 is migrating to a new certificate authority in March 2021. To prepare, you can load both the current/upcoming certificate into a bundled certificate. To download the upcoming certificate, you can open this test link and follow the steps above. Once you’ve downloaded both certificates in a folder, you can install OpenSSL (as per the MinIO TLS guide) and run below command:

openssl crl2pkcs7 -nocrl -certfile AmazonRootCA1.cer -certfile BaltimoreCyberTrustRoot.cer -out certs_server.p7b

You can also download our pre-built certificate bundle for AWS S3 to enable TLS. We have tested this based on the current and upcoming certificate guidance from Amazon. However, we recommend that you go through the steps above to familiarize yourself with the process - and to ensure that nothing has changed since the build of this bundle.

Configuration File example

Below is an example of the CANedge2 Configuration File details for an AWS server using HTTPS:

"server": {
    "endpoint": "https://s3.us-east-1.amazonaws.com",
    "port": 443,
    "bucket": "amazon-bucket-name",
    "region": "us-east-1",
    "accesskey": "AKIA32WGRU62PNIX2L7T",
    "keyformat": 0,
    "secretkey": "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",
    "signed_payload": 0
  }

Enable Cloud server TLS via custom domain & certificate

As outlined above, if you wish to use a cloud server endpoint like e.g. AWS S3, you can use the default certificate to enable TLS. This can be OK for small scale, local setups and tests.

For production setups and large scale applications, it is recommended that you ensure full control over the certificate chain as the cloud server provider may decide to change the root CA without notice. While rare, it is a risk. To avoid this, you can use a custom domain as your end point and enable TLS by importing your preferred certificate. This is an advanced topic and we recommend involving technical staff from your cloud server provider and/or your company.


[1]We recommend that you review your upload speed before/after adding TLS. If security is important for your use case, yet you find that your speed with TLS enabled is too low, you can consider encrypting your log files as an alternative
[2](1, 2) Before renaming the certificate, ensure that your File Explorer displays file extensions