SSL certificates enable HTTPS connections and are required for web-based authentication in the moderation system.
Certificates are required for moderation (web-based authentication) unless you set moderation.auth.cookie_secure=false in your configuration.
When you need SSL certificates SSL certificates are needed when:
Using the moderation system with web authentication
Deploying to production without a reverse proxy handling SSL
Securing direct public access to Ayase Quart
If you’re using a reverse proxy (like nginx or Caddy), handle SSL at the proxy level instead of in Ayase Quart.
Generate self-signed certificates For development or internal use, create self-signed certificates.
Generate certificates
Use OpenSSL to create a self-signed certificate: openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 \ -keyout key.pem -out cert.pem
This creates:
key.pem - Private keycert.pem - Certificate (valid for 10 years)
Enter certificate details
OpenSSL will prompt for certificate information: Country Name (2 letter code) [AU]: US State or Province Name (full name) [Some-State]: California Locality Name (eg, city) []: San Francisco Organization Name (eg, company) []: My Archive Organizational Unit Name (eg, section) []: IT Common Name (e.g. server FQDN or YOUR name) []: archive.example.com Email Address []: [email protected]
The Common Name should match your domain or IP address.
Move certificates
Place the certificates in your Ayase Quart directory: mv key.pem cert.pem /path/to/ayase-quart/
The certificates must be in the working directory where Ayase Quart runs. On Windows, use Git Bash or WSL to run the openssl command.
Enable SSL in your config.toml:
[ app ] url = 'https://your-domain.com' # or 'https://192.168.1.100:9001' port = 9001 ssl_key = 'key.pem' ssl_cert = 'cert.pem' [ moderation . auth ] cookie_secure = true # Required for HTTPS
Certificate paths are relative to the working directory specified in your systemd service or startup command.
Production certificates with Let’s Encrypt For production deployments, use Let’s Encrypt for free, trusted certificates.
Option 1: Use a reverse proxy (recommended)
Install Caddy or nginx
Install a reverse proxy that handles SSL automatically: Caddy (automatic HTTPS):sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list sudo apt update sudo apt install caddy
nginx :sudo apt update sudo apt install nginx certbot python3-certbot-nginx
Configure reverse proxy
Caddy (/etc/caddy/Caddyfile):your-domain.com { reverse_proxy localhost:9001 }
nginx (/etc/nginx/sites-available/ayase-quart):server { server_name your-domain.com; location / { proxy_pass http://127.0.0.1:9001; proxy_set_header Host $ host ; proxy_set_header X-Real-IP $ remote_addr ; proxy_set_header X-Forwarded-For $ proxy_add_x_forwarded_for ; proxy_set_header X-Forwarded-Proto $ scheme ; } }
Obtain certificate
Caddy : Automatically obtains and renews certificates.nginx : Use Certbot:sudo certbot --nginx -d your-domain.com
Configure Ayase Quart
Disable SSL in config.toml (proxy handles it): [ app ] url = 'https://your-domain.com' port = 9001 # ssl_key and ssl_cert are commented out [ moderation . auth ] cookie_secure = true
Set trusted proxy hops
Tell Ayase Quart to trust the reverse proxy: [ app ] proxy_trusted_hops = 1
Option 2: Certbot with Ayase Quart directly
Install Certbot
sudo apt update sudo apt install certbot
Stop Ayase Quart temporarily
Certbot needs port 80: sudo systemctl stop ayasequart
Obtain certificate
sudo certbot certonly --standalone -d your-domain.com
Certificates will be saved to:
/etc/letsencrypt/live/your-domain.com/fullchain.pem/etc/letsencrypt/live/your-domain.com/privkey.pem
Link certificates
Create symbolic links in your Ayase Quart directory: cd /path/to/ayase-quart ln -s /etc/letsencrypt/live/your-domain.com/fullchain.pem cert.pem ln -s /etc/letsencrypt/live/your-domain.com/privkey.pem key.pem
Set up automatic renewal
Certbot installs a renewal timer automatically. Verify: sudo systemctl status certbot.timer
Verify SSL configuration Check that HTTPS is working:
Test HTTPS access
Open your browser and navigate to: or https://192.168.1.100:9001
Check certificate validity
Use OpenSSL to verify: openssl s_client -connect your-domain.com:443 -servername your-domain.com
Test moderation login
Access the login page and verify secure authentication works: https://your-domain.com/login
Certificate file permissions Ensure proper permissions for certificate files:
chmod 600 key.pem chmod 644 cert.pem chown ayasequart:ayasequart key.pem cert.pem
Never commit certificate files to version control. Add them to .gitignore: Disable SSL for development For local development without HTTPS:
[ app ] url = 'http://127.0.0.1:9001' port = 9001 # Comment out ssl_key and ssl_cert [ moderation . auth ] cookie_secure = false # Allow cookies over HTTP
Never deploy to production with cookie_secure=false.
Troubleshooting Certificate verification failed If browsers show certificate warnings with self-signed certificates:
This is expected behavior
Click “Advanced” and “Proceed” to access the site
Or add the certificate to your browser’s trusted certificates
Permission denied errors If Ayase Quart can’t read certificate files:
# Check file ownership ls -l key.pem cert.pem # Fix permissions sudo chown ayasequart:ayasequart key.pem cert.pem chmod 600 key.pem chmod 644 cert.pem
Port 443 already in use If another service is using port 443:
# Find what's using the port sudo netstat -tlnp | grep :443 # Use a different port [app] port = 8443
Next steps
Moderation guide Set up content moderation with secure authentication
Production deployment Deploy Ayase Quart to production