Enable HTTPS for Aries Agents

[x0axz]

Hi,

We've been experimenting on how to enable https on all of agents (mediator/issuer/verifier/mobile). They are deployed on AWS EC2 server. We've successfully enabled it, but here going to share the notes and steps on how to achieve it.

As @troyronda mentioned that .NET has https handling code for the HTTPs prefixes. But they aren't default, for one to switch to HTTPS, they have to use UseMessageTypesHttps for it.

Steps

1. The agent has to be deployed on domain with SSL Certificate.
2. Change EndpointURI in Agent Options to Domain name (SSL Certificate should be enabled).
3. Add UseMessageTypesHttps in Agent Options (make sure you are using latest version of Aries).
4. The IP address of the server will be used in client_ip & node_ip in Genesis File.
5. In some agents, we changed the applicationUrl to https in launchSetting.json, and in some agents, didn't changed it.

Problems
In Xamarin Mobile App, you will likely to get an exception SSS error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED.

According to this comment, the issue is with the expiration of the DST Root CA X3, which is still used for cross-signing ISRG Root X1. The solution on the server side is to force the ISRG Root X1 with Certbot:

certbot renew --force-renewal --preferred-chain "ISRG Root X1"

Don't forget to reload the web servers to apply the new certificate.

Note: There is also a client side solution for that, by manually disabling the certificate "Digital Signature Trust Co. - DST Root CA X3" on Android device. (it's not an ideal solution, nor recommended, though I tested it, and it worked fine).

Hope this works.