How to configure your Cloud Foundry applications so they can be accessed by your custom domain and its SSL certificate.
If you are looking for configuration to get your Cloud Foundry applications accessed via https://<appname>.<your custom domain> instead of the default https://<appname>.mybluemix.net, you can refer to these articles in the documentation:
If you’re still not quite sure how do the full process, however, this post will provide step-by-step instructions on how to configure your Cloud Foundry applications so they can be accessed by your custom domain and its SSL certificate.
You’ll learn how to do the following:
- Add a custom domain
- Upload a certificate for your domain
- Add an app route with the custom domain
- Configure DNS for custom domains
- Verify the results
Prerequisites
First, you need to make you have your own domain and its SLL certificate files:
- Acquire and register an Internet domain name.
- Obtain an SSL certificate, private key and (optionally) an intermediate certificate.
Acquire and register an Internet domain name
You will need to own the domain name that you plan to use. In addition, it must be registered with a DNS service provider that allows you to make configuration changes. For example, I own the tnexample.com
domain by using the IBM Cloud Domain Name Service and use the IBM Cloud Internet Service for DNS management.
If you don’t have a custom domain yet, you can buy a domain from any domain name registrars. Also, you can buy a domain from the IBM Cloud Domain Name Registration service. You can register your new domain here:
If you don’t have a DNS service provider, you can use the IBM Cloud Internet Services (CIS). It has the Domain DNS management feature. You can create an instance of CIS here:
Obtain an SSL certificate, private key and (optionally) an intermediate certificate
You will need a SSL certificate with your domain and the following files. You can obtain the files from a trusted certificate authority:
- Certificate: A digital document that binds a public key to the identity of the certificate owner, which enables the certificate owner to be authenticated. A certificate is issued by a certificate authority and is digitally signed by that authority.
- Private key: An algorithmic pattern used to encrypt messages that only the corresponding public key can decrypt. The private key is also used to decrypt messages that were encrypted by the corresponding public key. The private key is kept on the user system and is protected by a password.
- Intermediate certificate: The trusted root certificate authority (CA) issues a subordinate certificate specifically to issue end-entity server certificates. This creates a certificate chain that starts at the trusted root CA, passes through the intermediate certificate and, ultimately, ends with the SSL certificate issued to the organization. You can utilize an intermediate certificate to verify the authenticity of the main certificate.
If you don’t have any certificate authorities, you can use IBM Cloud Secrets Manager to order an SSL certificate from the certificate authority Let’s Encrypt:
1. Add a custom domain
Now you can start to configure your Cloud Foundry applications by adding a custom domain via the IBM Cloud UI (Note: You can also create domains with the ibmcloud command line tool):
- Log in to the IBM Cloud UI.
- In the banner, expand Manage and click Account:
- Click Cloud Foundry in the left pane menu, expand Account resources and click Cloud Foundry orgs.
- Click the Cloud Foundry Org name that you plan to use, then click the Domains tab:
- Click the Add Domain button.
- Enter your custom domain in the text box and select the CF org region that you plan to use, then click the Add button. For my custom domain, I use the tnexample.com domain as I plan to use the CF app route bluemix.tnexample.com:
- Click the Add button. After the save operation completes, you should notice a new icon in the SSL Certificate column:
2. Upload a certificate for your domain
- Click the Upload icon in the SSL Certificate column for the domain you added in the previous step:
- For each field on the Upload Certificate dialog, click the Choose button and select the appropriate file:
- Click the Add button and the upload process should begin. This SSL Certification is being uploaded and replicated across our servers. This process could take a few minutes:
- Once the upload is complete, you should also see the icon for your domain has changed to a padlock:
- If you click on the Details link, you will see a dialog to show the details of the certificate you uploaded:
3. Add an app route with the custom domain
Now that we have a custom domain with the SSL certificate, let’s set up an app that makes use of it. We can either create a brand new app or edit the routes of an existing app:
- Click Resource List in the IBM Cloud UI.
- Expand the Cloud Foundry Apps section to list your applications.
- Click the Cloud Foundry application to see the overview of the app:
- Expand the Actions and click Edit routes:
- In the Edit Routes dialog, you can add and remove routes. Add a new CF app route with the custom domain and save it:
- You will see the newly added CF app route in the details:
4. Configure DNS for custom domains
At this point, you have an app using a route making use of our custom domain. However, if you tried to access your app via the route, it would fail. You need to do some DNS configuration by adding a CNAME record that maps your domain to the hostname of the Cloud Foundry router:
- Set up a CNAME record for the custom domain name on your DNS server. Steps for setting up the CNAME record vary depending on your DNS provider. I’m using the DNS management in the IBM Cloud Internet Service (CIS). In the CIS instance page, click the Reliability page, click the DNS tab and then click the Add button in the DNS records section:
- Map the custom domain name to the secure endpoint for the IBM Cloud region where your app is running. Use the following region endpoints to provide the URL route that is allocated to your CF organization in IBM Cloud. For example, my app is in IBM Cloud US-South region, and I want to access the app with
helloworld.tnexample.com
, so I enter the host namehelloworld
and the alias domain namecustom-domain.us-south.cf.cloud.ibm.com
in the DNS CNAME record. Cloud Foundry Router endpoints:- US-SOUTH:
custom-domain.us-south.cf.cloud.ibm.com
- US-EAST:
custom-domain.us-east.cf.cloud.ibm.com
- EU-DE:
custom-domain.eu-de.cf.cloud.ibm.com
- EU-GB:
custom-domain.eu-gb.cf.cloud.ibm.com
- AU-SYD:
custom-domain.au-syd.cf.cloud.ibm.com
Note: The host to use varies by the region in which your app is hosted.
- US-SOUTH:
- Once you commit the changes, you will have to wait some period of time for the changes to propagate. Once the DNS changes are propagated, you should be able to access your app via the browser.
- If you’re still unable to access your app after a reasonable amount of time, you might find it helpful to run the
nslookup
command ordig
command. For example, I ran it below forhelloworld.tnexample.com
and it properly resolved tocustom-domain.us-south.cf.cloud.ibm.com
:
5. Verify the results
Now if you try to access your route via the https protocol, the browser should declare your site is properly identified and trusted. For example, the screenshot below shows the certificate details for my app from Chrome:
You can also check by using the curl command:
Conclusion
This post covered how to configure your Cloud Foundry applications with associating your custom domain and its SSL certificate in IBM Cloud, and you’ll now be able to access your application with HTTPS with a valid SSL certificate. I’d like thank Tony Erwin for the article that provided much of the groundwork for this topic.