## Using Let's Encrypt's Certbot Certificates with ArangoDB

*Let's Encrypt generates SSL certificates for free.*  
Follow these steps to create and use an SSL certificate with ArangoDB.

### 1. Install the Certbot from LetsEncrypt ([Certbot instructions](https://certbot.eff.org/lets-encrypt/ubuntubionic-other))

```bash
sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update

sudo apt-get install certbot
```

### 2. Generate the certificate
Run certbot and answer the prompted questions.

```bash
sudo certbot certonly
```

### 3. Create the certificate/key bundle required by ArangoDB
ArangoDB requires a single file containing the certificate chain as well as the private key.

```bash
cd /etc/letsencrypt/live/example.com  # replace example.com with your domain
cat fullchain.pem privkey.pem > server.pem
```

### 4. Grant access to user `arangodb`
Make sure the ArangoDB user (usually `arangodb`) can read the `server.pem` and `fullchain.pem` files.

```bash
chown -R arangodb:arangodb ./etc/letsencrypt/*  # depending on your system
```

### 5. Configure ArangoDB to use the certificate

```bash
vi /etc/arangodb3/arangod.conf
```

A. Add the endpoint to the `[server]` block
```
[server]
endpoint = ssl://example.com:8529
```

B. Create the `[ssl]` block before any other block
```
[ssl]
cafile = /etc/letsencrypt/live/example.com/fullchain.pem
keyfile = /etc/letsencrypt/live/example.com/server.pem
```

C. Save & close

### 6. Restart the server
```
service arangodb3 restart
service arangodb3 status  # make sure it's running
```

---

Related / sources:
- [Certbot instructions](https://certbot.eff.org/lets-encrypt/ubuntubionic-other)
- StackOverflow: [ArangoDB working together with letsenrcypt certificates](https://stackoverflow.com/questions/52964021/arangodb-working-together-with-letsenrcypt-certificates)
- StackOverflow: [Arangod.conf for SSL](https://stackoverflow.com/questions/40315135/arangod-conf-for-ssl)