Installing a valid certificate

Source:

Published:

Keywords: Genymotion, TLS, SSL, certificate generation, Let’s Encrypt, HTTP API, ADB, SSH

Document ID: https://docs.genymotion.com/paas/Access/Certificate#split1

Due to a bug with ACME services, domain names with subdomains are not supported with Genymotion Device image v10.0.0. Use Genymotion Device image v11.0.0 or higher if you need TLS/SSL certificates.

To remove the security warning when accessing an instance user interface, you must install a trusted certificate.

If you already have an SSL certificate, refer to this git repository to install it. Otherwise, follow the steps below.

Generate a certificate

You must have a valid and available domain name to generate a valid certificate.

If you do not have any certificates, Genymotion developed a service that generates a certificate from Let’s Encrypt servers. The service installs the certificate directly in the instance.

Prerequisite

The Let’s Encrypt service must be able to communicate with the instance during the certificate generation process.

Your instance must have a Public IP.

Inbound HTTP (TCP port 80) must be open to all (0.0.0.0/0) during the process.

Installation steps

There are three installation methods: Web UI, HTTP API, and Command Line.

Web UI

1. Add an allow HTTP (TCP port 80) to all (0.0.0.0/0) inbound rule to your security group/firewall.

2. From the instance user interface, go to Configuration. In the SSL Certificate section, input your domain name and click GENERATE CERTIFICATE.

3. Once finished, remove the HTTP allow to all inbound rule from your security group/firewall.

4. It is now possible to use our HTTP API to generate and install a SSL certificate, with the api/v1/configuration/certificate endpoint and POST method.

Note: <instance_public_ip> can either be the instance public IP or its public domain name.

<username>:<password> are the username/password used to connect to the instance.

--insecure is mandatory if the current certificate is the self-signed one. It can also be used when the current certificate is valid.

You need to allow HTTP (TCP port 80) to all (0.0.0.0/0) during the process. You can remove it when finished.

Example curl command from the host computer: 

-X 'POST' 'https://<instance_public_ip>/api/v1/configuration/certificate' \
-H "Content-Type: application/json" \
-d '["your.domain.name1, your.domain.name.two"]' \
--insecure \
-u <username>:<password>

Example for a public test instance: 

-X 'POST' 'https://demo.ddns.net/api/v1/configuration/certificate' \
-H "Content-Type: application/json" \
-d '["demo.ddns.net"]' \
--insecure \
-u myusername:mypassword

ADB

Enable inbound HTTP (TCP port 80) to all (0.0.0.0/0) from your security group or firewall rules.

Enable and connect ADB to the instance.

Generate and install the certificate: 

adb shell am startservice \
  -a genymotionacme.generate \
  -n com.genymobile.genymotionacme/.AcmeService.generate \
  --esal genymotionacme.generate.EXTRAS_DOMAIN_NAMES \
  your.first.domain,your.second.domain

Once done, you can remove the HTTP allow all rule.

Remove the certificate: 

adb shell am startservice \
  -a genymotionacme.clear \
  -n com.genymobile.genymotionacme/.AcmeService

SSH

Allow inbound HTTP (TCP port 80) to all (0.0.0.0/0) from your security group or firewall rules.

Connect to the instance shell with SSH.

Generate and install the certificate: 

am startservice \
  -a genymotionacme.generate \
  -n com.genymobile.genymotionacme/.AcmeService.generate \
  --esal genymotionacme.generate.EXTRAS_DOMAIN_NAMES \
  your.first.domain,your.second.domain

Once done, remove the HTTP allow all rule.

Remove the certificate: 

am startservice \
  -a genymotionacme.clear \
  -n com.genymobile.genymotionacme/.AcmeService

Back to top