LetsEncrypt is an easy and cheap way to get a SSL certificate, so the client browser does not complain about the self-signed certificate. For this to work you need to be able to resolve a Fully Qualified Domain Name (FQDN) to the IP address of your SGD gateway. If your domain has a CAA record in the DNS server, you must have letsencrypt listed.
In order to communicate with LetsEncrypt we need to install a utility called certbot. It will allow us to communicate with the service, request a SSL certificate and provide the challenge response. This utility can integrate with Apache and NGinx web servers. Even though the SGD gateway is using Apache, the incoming HTTP(S) stream is being received by some custom SGD gateway code, so we can not use this integration.
On Oracle Linux certbot can be installed via yum from the ol7_developer_EPEL repository. There is one dependency (python2-urllib3 or python-urllib3) that exists in multiple yum repositories, but only the one from @ol7_latest works with certbot, so we need to make sure to use the correct one. When we remove python2-urllib3 it might remove other packages that had it declared as a dependency (most likely cloud-init), so after we add the certbot package from the correct repository we need to add cloud-init back.
For operating systems not directly supported by certbot one can download certbot-auto, which bootstraps itself with the necessary python libraries. This seems to be the most reliable method to get certbot going.
Use it with the SGD gateway
Stop SGD gateway
since a running gateway listens on port 80 and 443, we need to stop the gateway before invoking certbot
Once we have DNS configured to properly resolve our FQDN to the IP address of our gateway, we can run certbot by specifying the FQDN and an e-mail address (I am using a fictitious domain name, please adjust accordingly)
If everything goes well, the resulting SSL certificate would be in /etc/letsencrypt/live/sgd.example.com/cert.pem
Import the SSL certificate into the SGD gateway
Once the SSL certificate has been generated, we need to use the gateway command to import the new certificate and start the gateway
--keyalg RSA \
Now we have started the SGD gateway we can check in a browser if we have the correct SSL certificate. Sometimes a browser needs to be restarted after a certificate has been added to a server previously visited. Here is a screenshot from one of my servers accessed via Safari on Mac OS X.