Steps to Follow
The following steps can be used to enable SSL for a single ClickHouse Server using Let’s Encrypt, a free, automated, and open Certificate Authority (CA) designed to make it easy for anyone to secure their websites with HTTPS. By automating the certificate issuance and renewal process, Let’s Encrypt ensures websites remain secure without requiring manual intervention.We assume ClickHouse has been installed at the standard package locations in the following guide. We use the domain
product-test-server.clickhouse-dev.com for all examples. Substitute your domain accordingly.- Verify you have a DNS
AorAAAArecord pointing to your server. This can be achieved using the Linux tooldig.For example, the response forproduct-test-server.clickhouse-dev.comif using the Cloudflare DNS server1.1.1.1:
- Open port 80 on your server. This port will be used for automatic certificate renewal using the ACME protocol with certbot. For AWS, this can be achieved by modifying the instance’s associated Security Group.
- Install
certbote.g. usingapt
- Obtain an SSL certificate
We don’t have a web server running on our server, so use (1) allowing Certbot to use a standalone temporary web server.
product-test-server.clickhouse-dev.com when requested.
Let’s Encrypt has a policy of not issuing certificates for certain types of domains, such as public cloud provider-generated domains (e.g., AWS *.compute.amazonaws.com domains). These domains are considered shared infrastructure and are blocked for security and abuse prevention reasons.
- Copy certificates to the ClickHouse directory.
chmod 400) on the copied files to maintain strict file security. This ensures that the ClickHouse server always has access to the latest SSL certificates without requiring manual intervention, maintaining security and minimizing operational overhead.
- Configure the use of these certificates in clickhouse-server.
- Restart ClickHouse Server
- Validate ClickHouse can communicate over SSL
product-test-server.clickhouse-dev.com open port 9440 in your: