August 22, 2016 | Written by: Luke Stack
Categorized: How-tos | Security
Share this post:
Let’s Encrypt is a certificate authority that allows users to certify their domains, free of charge. Let’s Encrypt is working to create a safer, more private web, by making SSL easier to configure for website owners.
By default, Bluemix Cloud Foundry applications use a domain of ‘mybluemix.net’, ‘eu.mybluemix.net’, or ‘au-syd.mybluemix.net’ (depending on your region). When using these domains, support for HTTPS is pre-configured and requires no additional effort.
Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit.letsencrypt.org
However, users often want to serve their applications from a custom domain and supporting HTTPS for these applications will require an SSL certificate. We wanted to see if it was possible to use Let’s Encrypt to make this as simple as possible for our users. In our exploration, we discovered a project on GitHub that accomplishes this:
The cf-letsencrypt project deploys an application to your Bluemix account that will serve all traffic to the
/.well-known/acme-challenge path of your configured routes, allowing Let’s Encrypt to verify that you own the domain. All other traffic will be routed to your original application. bsyk accomplishes this with a clever use of the relatively-new
--path argument for the
cf map-route command. However, using the Bluemix CLI cert commands, we can go one step further and automatically upload the certificate to your custom domain.
bluemix-letsencrypt is a cf-letsencrypt fork that extends the project to use Bluemix-specific API calls for uploading the acquired certificates into IBM Bluemix.
To run bluemix-letsencrypt, you must first:
- Have the Bluemix CLI installed and use it to log in to Bluemix
- Have a custom domain associated with your target org and ensure that you have properly configured DNS for each of the routes you wish to secure
Once you are ready, clone the bluemix-letsencrypt repo to your local system with the command
git clone https://github.com/ibmjstart/bluemix-letsencrypt.
domains.yml with your email address and the custom domain for which you’d like an SSL certificate:
Add a host entry for each application hostname that you’d like to support. Because Let’s Encrypt doesn’t currently support wildcard certificates, you will need to update the certificate each time you add a new application hostname.
Tip: Leave the first host as ‘.’ so that the subject common name of your certificate will match your custom domain. Each of the other hosts in the hosts array will become DNS Name entries in the Subject Alternative Name (SAN) field.
Before running the main script of the project (
setup-app.py), make sure you have installed all necessary dependencies with this command:
pip install -r requirements.txt.
Now you are ready to request your SSL certificate from Let’s Encrypt with this command:
python setup-app.py. This command will:
- Push the
cf-letsencrypt application to Bluemix
- Map a route for each host in
- Start the application to obtain a certificate
- Download the certificate to your current working directory
- Stop the
- Upload the certificate to Bluemix
After the script finishes, your configured routes should now be accessible via HTTPS.
The Let’s Encrypt certificate is good for 90 days, but Let’s Encrypt recommends you to renew it closer to the 60-day mark. To avoid the risk of losing your previous certificate, bluemix-letsencrypt DOES NOT perform the update on your behalf (as of the time of this writing). The script will still request an updated certificate and download the
.pem files to your working directory, but you must remove the old cert and upload the new one yourself.
We are very grateful to bsyk for the work he’s done on cf-letsencrypt, so be kind and throw some stars his way!