HOWTO: Setup Redis Server with SSL for use with AI2
This Guide/Tutorial will show you how to setup a Redis Server (backend for CloudDB) with SSL,
so that you can tick the SSL checkbox in AI2.
I would not have been able to achieve this without the invaluable help from Jeff Schiller, MIT; many thanks for all the fish ;)
To mis-quote Jeff:
"The normal Redis client/server doesn’t know how to do SSL, but the CloudDB component already knows how to use SSL, just check the box"
This means we have very little to do in AI2 with the CloudDB, but quite a lot to do on the server. You will see how to:
Set up the redis server
Get an authorised certificate from LetsEncrypt
Set up stunnel4 to create the SSL(TLS) tunnel
Set your firewall/s
Set the CloudDB in AI2
For the server, I used a shiny, brand new VPS (virtual private server) from IONOS, at the stunning price of £1 per month. I went for the Ubuntu 18.04 LTS Server. This means that nearly all the work below is done on the command line, and assumes that you have:
ssh access to the server
an admin user with sudo permissions
The only quirk I found with the IONOS VPS was that you set firewall rules in the IONOS control panel, not on the server, I had already setup ufw on the server when I found this out, so am using both. (ufw will need to replicate what is set on IONOS). Your server may not have this extra requirement, so just use ufw.
On my system, I was able to complete most of the work as the admin user, but on a couple of occasions I had to change to the root user. If you run a sudo command and get "Permission Denied" then go to root by:
VPS on IONOS
Ubuntu 18.04 LTS Server
Admin user with sudo permissions
Ionos Control Panel
Set the following rules:
To begin, open a terminal (puTTy if you are on Windows), ssh into the server with your admin user (sudo permissions) and password:
Now best to update the server
Before we forget, setup ufw
Now install the redis server, which we will build from sources
Test the server is running:
Configure the redis server:
You will need to set a strong password, because redis is not designed to be directly exposed to the internet
Edit the redis configuration file and check each of these settings:
You can then apply the configuration and start the redis server
To test that all is well run the redis-cli and ping the server. you should get a PONG back. Type quit to quit back to the command line.
A good idea to update the server again, then we can install stunnel4
stunnel will not start with the server by default, so we need to edit its settings file to make this happen. Look for ENABLED=0 in the following file, and change it as follows:
Configure the conf file for stunnel as follows:
To create the certificate needed for SSL we use LetsEncrypt. Install as follows:
NOTE: for Ubuntu 20.04 LTS the ppa is no longer available, however there is a snap package in Ubuntu that can be used. See the following link for further information:
Now run certbot to generate the certificate and the key:
Finally, we need to combine the certificate and the key to one file, and put this in the path we identified in the stunnel conf file:
You can now start stunnel
That should be it on the server, now all that is needed is to enter the correct credentials into your app with CloudDB:
Open up AI2
Create a new project
Pull in the CloudDB component
Setup components and blocks to set and get values
In the designer, select the CloudDB and enter the following:
ProjectID - this can be anything you want for your Project (will be set as your AI2 project's name by default
Redis Port - 6381
RedisServer - use your server's domain name or IP address
Token - use your password as set in the redis conf file
UseSSL - check the box !
Test by running your project in the companion.
Hopefully if everything has been correctly configured, you should see no errors, and be able to set and get values.
Any issues, please ask on the forum: MIT AppInventor Community Forum
ADDITIONAL - Revalidate SSL certificate every 90 days
letsEncrypt require users to revalidate the SSL certificate every 90 days. For many certificates, this happens automatically, but because I used "certonly" and redis is not serving up on port 80, the cronjob for autorenew did not work, and I got an email from LetsEncrypt to advise i needed to revalidate. Initially it was not clear what I needed to do, but a bit of searching revealed that I needed to shut down apache2 in order to make port 80 available to letsencrypt so that it could perform the validation.
To renew Redis SSL certificate
//Login to server
//Run the certonly option for certbot
I found I had to sudo su to go to root to run the following commands
Now back up the existing pem file
then create the new certificate file for stunnel
//restart Stunnel and APACHE !!