# Set up TLS without reverse proxy {% hint style="info" %} StackState prefers Kubernetes!\ In the future we will move away from Linux support. Read how to [migrate from the Linux install of StackState to the Kubernetes install](/5.1/setup/install-stackstate/kubernetes_openshift/migrate_from_linux.md). {% endhint %} This document provides the steps to set up TLS on StackState application side with no reverse proxy configured. ## Prerequisites Prepare a TLS keypair in [PKCS12](https://en.wikipedia.org/wiki/PKCS_12) format. Certificate should include the hostname by which StackState will be accessed, for example, `stackstate.infra.company.tld`. ## Configure StackState ### Step 1. Configure applications **a.** Enable TLS for Web UI/API by configuring section `stackstate.api.tls` in `etc/application_stackstate.conf`: ``` stackstate { ... api { tls { enabled = true keystore { path = "/path/to/keystore.pfx" password = "password" storeType = "PKCS12" } } ... ``` **b.** Enable TLS for topology/telemetry receiver by configuring a section `stackstate.receiver.tls` in `etc/stackstate-receiver/application.conf`: ``` stackstate.receiver { ... tls { enabled = true keystore { path = "/path/to/keystore.pfx" password = "password" storeType = "PKCS12" } } ``` ### Step 2. Configure the process manager **a.** Configure health check URL (`properties.receiver-healthcheckuri`) in `etc/processmanager/processmanager-properties.conf` using `https` protocol and the hostname: ``` receiver-healthcheckuri = "https://stackstate.infra.company.tld:7077/health" ``` **b.** (optional, if a self-signed certificate is used) Make process manager trust self-signed certificate by adding the following settings under `server.akka` section in `etc/processmanager/processmanager-properties.conf`: ``` server { akka { ... ssl-config { trustManager = { stores = [ {type: "PEM", path: "/path/to/certificate-authority.pem"}, ] } } ... ``` ### Step 3. Configure StackPacks configuration defaults Configure the default receiver URL (`stackstate.receiver.baseUrl`) in `etc/application_stackstate.conf` using `https` protocol and the hostname: ``` stackstate.receiver.baseUrl = "https://stackstate.infra.company.tld:7077" ``` ### Step 4. Apply changes Restart StackState to apply these changes: ``` sudo systemctl restart stackstate.service ``` ## Configure StackState Agent ### Option 1. Agent running in Docker **a.** (optional, for self-signed certificates) Prepare a self-signed certificate to be mounted into the container: ``` mkdir self-signed-certs cd self-signed-certs cp /path/to/certificate-authority.pem ./ca.crt cp ./ca.crt ./ca-certificates.crt ``` **b.** Update the Docker container parameters with: * configured URLs with `https` and the hostname in environment variables for receiver endpoints * `STS_STS_URL=https://stackstate.infra.company.tld:7077/stsAgent` * `STS_APM_URL=https://stackstate.infra.company.tld:7077/stsAgent` * `STS_PROCESS_AGENT_URL=https://stackstate.infra.company.tld:7077/stsAgent` * (for self-signed) mount prepared certificates into `/etc/ssl/certs` of a container Example: ``` docker run -ti --rm\ -e STS_API_KEY= -v /path/to/self-signed-certs:/etc/ssl/certs \ -e STS_STS_URL=https://stackstate.infra.company.tld:7077/stsAgent \ -e STS_APM_URL=https://stackstate.infra.company.tld:7077/stsAgent \ -e STS_PROCESS_AGENT_URL=https://stackstate.infra.company.tld:7077/stsAgent \ stackstate/stackstate-agent-2:2.1.0 ``` ### Option 2. Agent running on machine **a.** Update the receiver URLs using `https` and the hostname in `/etc/stackstate-agent/stackstate.yaml`: ``` sts_url: https://stackstate.infra.company.tld:7077/stsAgent process_sts_url: https://stackstate.infra.company.tld:7077/stsAgent apm_sts_url: https://stackstate.infra.company.tld:7077/stsAgent ``` **b.** If a self-signed certificate is used, then import it with the default keystore of the operating system. Ubuntu: ``` cp /path/to/certificate-authority.pem /usr/local/share/ca-certificates/stackstate.crt # extension .crt is important here sudo update-ca-certificates ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://archivedocs.stackstate.com/5.1/setup/install-stackstate/linux/how_to_setup_tls_without_reverse_proxy.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.