How-tos

Securing Custom Domains with Let’s Encrypt

Share this post:

Let’s Encrypt is a certificate authority that allows users to certify their domains, free of charge. Let’s Encrypt is working to create a safer, more private web, by making SSL easier to configure for website owners.

By default, Bluemix Cloud Foundry applications use a domain of ‘mybluemix.net’, ‘eu.mybluemix.net’, or ‘au-syd.mybluemix.net’ (depending on your region). When using these domains, support for HTTPS is pre-configured and requires no additional effort.

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit.letsencrypt.org

However, users often want to serve their applications from a custom domain and supporting HTTPS for these applications will require an SSL certificate. We wanted to see if it was possible to use Let’s Encrypt to make this as simple as possible for our users. In our exploration, we discovered a project on GitHub that accomplishes this:

The cf-letsencrypt project deploys an application to your Bluemix account that will serve all traffic to the /.well-known/acme-challenge path of your configured routes, allowing Let’s Encrypt to verify that you own the domain. All other traffic will be routed to your original application. bsyk accomplishes this with a clever use of the relatively-new --path argument for the cf map-route command. However, using the Bluemix CLI cert commands, we can go one step further and automatically upload the certificate to your custom domain.

Introducing bluemix-letsencrypt

bluemix-letsencrypt is a cf-letsencrypt fork that extends the project to use Bluemix-specific API calls for uploading the acquired certificates into IBM Bluemix.

To run bluemix-letsencrypt, you must first:

  • Have the Bluemix CLI installed and use it to log in to Bluemix
  • Have a custom domain associated with your target org and ensure that you have properly configured DNS for each of the routes you wish to secure

Once you are ready, clone the bluemix-letsencrypt repo to your local system with the command git clone https://github.com/ibmjstart/bluemix-letsencrypt.

Next, update domains.yml with your email address and the custom domain for which you’d like an SSL certificate:

{                                                                                                  
    "email": "email@domain.com",
    "staging": false,
    "domains": [
        {
          "domain": "example.com",
          "hosts": [
            ".",
            "app"
          ]
        }
    ]
}

Add a host entry for each application hostname that you’d like to support. Because Let’s Encrypt doesn’t currently support wildcard certificates, you will need to update the certificate each time you add a new application hostname.

Tip: Leave the first host as ‘.’ so that the subject common name of your certificate will match your custom domain. Each of the other hosts in the hosts array will become DNS Name entries in the Subject Alternative Name (SAN) field.

Running bluemix-letsencrypt

Before running the main script of the project (setup-app.py), make sure you have installed all necessary dependencies with this command: pip install -r requirements.txt.

Now you are ready to request your SSL certificate from Let’s Encrypt with this command: python setup-app.py. This command will:

  • Push the cf-letsencrypt application to Bluemix
  • Map a route for each host in domains.yml
  • Start the application to obtain a certificate
  • Download the certificate to your current working directory
  • Stop the cf-letsencrypt application
  • Upload the certificate to Bluemix

After the script finishes, your configured routes should now be accessible via HTTPS.

Reminder!

The Let’s Encrypt certificate is good for 90 days, but Let’s Encrypt recommends you to renew it closer to the 60-day mark. To avoid the risk of losing your previous certificate, bluemix-letsencrypt DOES NOT perform the update on your behalf (as of the time of this writing). The script will still request an updated certificate and download the .pem files to your working directory, but you must remove the old cert and upload the new one yourself.

We are very grateful to bsyk for the work he’s done on cf-letsencrypt, so be kind and throw some stars his way!

Add Comment
No Comments

Leave a Reply

Your email address will not be published.Required fields are marked *

More How-tos Stories

Load Testing with Bluemix and Load Impact

Load testing is a vital part of any development strategy. By understanding how much traffic your application and infrastructure can handle, you're putting yourself in position to succeed if your website experiences a large influx of users. As an IBM Bluemix developer, you have the power to test your application’s performance under the pressure of thousands of users at a time with Load Impact.

Continue reading

Anti-affinity and IP Binding in IBM Containers Groups

As of May 23rd IBM Bluemix Container Service now provides a native Kubernetes operations experience while removing the burden of maintaining master nodes. Kubernetes itself is based on the Docker engine for managing software images and instantiating containers. Get the details. Anti-affinity is a relatively new concept to IBM Containers . To define this concept, […]

Continue reading

Deploy a simple “Hello World” server written in JavaScript from the command line

I've put together a small project that implements a web server that you can deploy on BlueMix; it's about as small as you can get, and so, of course, doesn't do much. It displays "Hello World" on every single one of it's pages. So, not useful by itself, but I've tried to document the heck out of it, so you can at least see the nuts and bolts of deploying a node.js web server on BlueMix.

Continue reading