How to configure your Cloud Foundry applications so they can be accessed by your custom domain and its SSL certificate.

If you are looking for configuration to get your Cloud Foundry applications accessed via https://<appname>.<your custom domain> instead of the default https://<appname>.mybluemix.net, you can refer to these articles in the documentation: 

If you’re still not quite sure how do the full process, however, this post will provide step-by-step instructions on how to configure your Cloud Foundry applications so they can be accessed by your custom domain and its SSL certificate.

You’ll learn how to do the following:

  1. Add a custom domain
  2. Upload a certificate for your domain
  3. Add an app route with the custom domain
  4. Configure DNS for custom domains
  5. Verify the results

Prerequisites

First, you need to make you have your own domain and its SLL certificate files:

  1. Acquire and register an Internet domain name.
  2. Obtain an SSL certificate, private key and (optionally) an intermediate certificate.

Acquire and register an Internet domain name

You will need to own the domain name that you plan to use. In addition, it must be registered with a DNS service provider that allows you to make configuration changes. For example, I own the tnexample.com domain by using the IBM Cloud Domain Name Service and use the IBM Cloud Internet Service for DNS management. 

If you don’t have a custom domain yet, you can buy a domain from any domain name registrars. Also, you can buy a domain from the IBM Cloud Domain Name Registration service. You can register your new domain here

If you don’t have a DNS service provider, you can use the IBM Cloud Internet Services (CIS). It has the Domain DNS management feature. You can create an instance of CIS here

Obtain an SSL certificate, private key and (optionally) an intermediate certificate

You will need a SSL certificate with your domain and the following files. You can obtain the files from a trusted certificate authority:

  • Certificate: A digital document that binds a public key to the identity of the certificate owner, which enables the certificate owner to be authenticated. A certificate is issued by a certificate authority and is digitally signed by that authority.
  • Private key: An algorithmic pattern used to encrypt messages that only the corresponding public key can decrypt. The private key is also used to decrypt messages that were encrypted by the corresponding public key. The private key is kept on the user system and is protected by a password.
  • Intermediate certificate: The trusted root certificate authority (CA) issues a subordinate certificate specifically to issue end-entity server certificates. This creates a certificate chain that starts at the trusted root CA, passes through the intermediate certificate and, ultimately, ends with the SSL certificate issued to the organization. You can utilize an intermediate certificate to verify the authenticity of the main certificate. 

If you don’t have any certificate authorities, you can use IBM Cloud Secrets Manager to order an SSL certificate from the certificate authority Let’s Encrypt:

1. Add a custom domain

Now you can start to configure your Cloud Foundry applications by adding a custom domain via the IBM Cloud UI (Note: You can also create domains with the ibmcloud command line tool):

  1. Log in to the IBM Cloud UI.
  2. In the banner, expand Manage and click Account:
  3. Click Cloud Foundry in the left pane menu, expand Account resources and click Cloud Foundry orgs.
  4. Click the Cloud Foundry Org name that you plan to use, then click the Domains tab:
  5. Click the Add Domain button.
  6. Enter your custom domain in the text box and select the CF org region that you plan to use, then click the Add button. For my custom domain, I use the tnexample.com domain as I plan to use the CF app route bluemix.tnexample.com:
  7. Click the Add button. After the save operation completes, you should notice a new icon in the SSL Certificate column:

2. Upload a certificate for your domain

  1. Click the Upload icon in the SSL Certificate column for the domain you added in the previous step:
  2. For each field on the Upload Certificate dialog, click the Choose button and select the appropriate file:
  3. Click the Add button and the upload process should begin. This SSL Certification is being uploaded and replicated across our servers. This process could take a few minutes:
  4. Once the upload is complete, you should also see the icon for your domain has changed to a padlock:
  5. If you click on the Details link, you will see a dialog to show the details of the certificate you uploaded:

3. Add an app route with the custom domain

Now that we have a custom domain with the SSL certificate, let’s set up an app that makes use of it. We can either create a brand new app or edit the routes of an existing app:

  1. Click Resource List in the IBM Cloud UI.
  2. Expand the Cloud Foundry Apps section to list your applications.
  3. Click the Cloud Foundry application to see the overview of the app:
  4. Expand the Actions and click Edit routes:
  5. In the Edit Routes dialog, you can add and remove routes. Add a new CF app route with the custom domain and save it:
  6. You will see the newly added CF app route in the details:

4. Configure DNS for custom domains

At this point, you have an app using a route making use of our custom domain. However, if you tried to access your app via the route, it would fail. You need to do some DNS configuration by adding a CNAME record that maps your domain to the hostname of the Cloud Foundry router:

  1. Set up a CNAME record for the custom domain name on your DNS server. Steps for setting up the CNAME record vary depending on your DNS provider. I’m using the DNS management in the IBM Cloud Internet Service (CIS). In the CIS instance page, click the Reliability page, click the DNS tab and then click the Add button in the DNS records section:
  2. Map the custom domain name to the secure endpoint for the IBM Cloud region where your app is running. Use the following region endpoints to provide the URL route that is allocated to your CF organization in IBM Cloud. For example, my app is in IBM Cloud US-South region, and I want to access the app with helloworld.tnexample.com, so I enter the host name helloworld and the alias domain name custom-domain.us-south.cf.cloud.ibm.com in the DNS CNAME record. Cloud Foundry Router endpoints:
    • US-SOUTH: custom-domain.us-south.cf.cloud.ibm.com
    • US-EAST: custom-domain.us-east.cf.cloud.ibm.com
    • EU-DE: custom-domain.eu-de.cf.cloud.ibm.com
    • EU-GB: custom-domain.eu-gb.cf.cloud.ibm.com
    • AU-SYD: custom-domain.au-syd.cf.cloud.ibm.com

      Note: The host to use varies by the region in which your app is hosted.

  3. Once you commit the changes, you will have to wait some period of time for the changes to propagate. Once the DNS changes are propagated, you should be able to access your app via the browser.
  4. If you’re still unable to access your app after a reasonable amount of time, you might find it helpful to run the nslookup command or dig command. For example, I ran it below for helloworld.tnexample.com and it properly resolved to custom-domain.us-south.cf.cloud.ibm.com:
    $ dig helloworld.tnexample.com
    
    ; <<>> DiG 9.10.6 <<>> helloworld.tnexample.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34508
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
    
    ;; QUESTION SECTION:
    ;helloworld.tnexample.com.        IN        A
    
    ;; ANSWER SECTION:
    helloworld.tnexample.com. 300        IN        CNAME        custom-domain.us-south.cf.cloud.ibm.com.
    custom-domain.us-south.cf.cloud.ibm.com. 60 IN A 169.47.124.23
    custom-domain.us-south.cf.cloud.ibm.com. 60 IN A 169.62.254.80
    custom-domain.us-south.cf.cloud.ibm.com. 60 IN A 169.46.89.151
    
    ;; Query time: 193 msec
    ;; SERVER: 192.168.1.1#53(192.168.1.1)
    ;; WHEN: Tue May 03 15:41:40 AEST 2022
    ;; MSG SIZE  rcvd: 284

5. Verify the results

Now if you try to access your route via the https protocol, the browser should declare your site is properly identified and trusted. For example, the screenshot below shows the certificate details for my app from Chrome:

You can also check by using the curl command:

$ curl -v https://helloworld.tnexample.com
*   Trying 169.62.254.80...
* TCP_NODELAY set
* Connected to helloworld.tnexample.com (169.62.254.80) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=*.tnexample.com
*  start date: Apr 21 01:27:24 2022 GMT
*  expire date: Jul 20 01:27:23 2022 GMT
*  subjectAltName: host "helloworld.tnexample.com" matched cert's "*.tnexample.com"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: helloworld.tnexample.com
> User-Agent: curl/7.64.1
> Accept: */*
> 
< HTTP/1.1 200 OK
....
* Connection #0 to host helloworld.tnexample.com left intact
* Closing connection 0

Conclusion

This post covered how to configure your Cloud Foundry applications with associating your custom domain and its SSL certificate in IBM Cloud, and you’ll now be able to access your application with HTTPS with a valid SSL certificate. I’d like thank Tony Erwin for the article that provided much of the groundwork for this topic.

Categories

More from Cloud

Kubernetes version 1.28 now available in IBM Cloud Kubernetes Service

2 min read - We are excited to announce the availability of Kubernetes version 1.28 for your clusters that are running in IBM Cloud Kubernetes Service. This is our 23rd release of Kubernetes. With our Kubernetes service, you can easily upgrade your clusters without the need for deep Kubernetes knowledge. When you deploy new clusters, the default Kubernetes version remains 1.27 (soon to be 1.28); you can also choose to immediately deploy version 1.28. Learn more about deploying clusters here. Kubernetes version 1.28 In…

Temenos brings innovative payments capabilities to IBM Cloud to help banks transform

3 min read - The payments ecosystem is at an inflection point for transformation, and we believe now is the time for change. As banks look to modernize their payments journeys, Temenos Payments Hub has become the first dedicated payments solution to deliver innovative payments capabilities on the IBM Cloud for Financial Services®—an industry-specific platform designed to accelerate financial institutions' digital transformations with security at the forefront. This is the latest initiative in our long history together helping clients transform. With the Temenos Payments…

Foundational models at the edge

7 min read - Foundational models (FMs) are marking the beginning of a new era in machine learning (ML) and artificial intelligence (AI), which is leading to faster development of AI that can be adapted to a wide range of downstream tasks and fine-tuned for an array of applications.  With the increasing importance of processing data where work is being performed, serving AI models at the enterprise edge enables near-real-time predictions, while abiding by data sovereignty and privacy requirements. By combining the IBM watsonx data…

The next wave of payments modernization: Minimizing complexity to elevate customer experience

3 min read - The payments ecosystem is at an inflection point for transformation, especially as we see the rise of disruptive digital entrants who are introducing new payment methods, such as cryptocurrency and central bank digital currencies (CDBC). With more choices for customers, capturing share of wallet is becoming more competitive for traditional banks. This is just one of many examples that show how the payments space has evolved. At the same time, we are increasingly seeing regulators more closely monitor the industry’s…