How-tos

Securing Custom Domains with Let’s Encrypt

Let’s Encrypt is a certificate authority that allows users to certify their domains, free of charge. Let’s Encrypt is working to create a safer, more private web, by making SSL easier to configure for website owners.

By default, Bluemix Cloud Foundry applications use a domain of ‘mybluemix.net’, ‘eu.mybluemix.net’, or ‘au-syd.mybluemix.net’ (depending on your region). When using these domains, support for HTTPS is pre-configured and requires no additional effort.

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit.letsencrypt.org

However, users often want to serve their applications from a custom domain and supporting HTTPS for these applications will require an SSL certificate. We wanted to see if it was possible to use Let’s Encrypt to make this as simple as possible for our users. In our exploration, we discovered a project on GitHub that accomplishes this:

The cf-letsencrypt project deploys an application to your Bluemix account that will serve all traffic to the /.well-known/acme-challenge path of your configured routes, allowing Let’s Encrypt to verify that you own the domain. All other traffic will be routed to your original application. bsyk accomplishes this with a clever use of the relatively-new --path argument for the cf map-route command. However, using the Bluemix CLI cert commands, we can go one step further and automatically upload the certificate to your custom domain.

Introducing bluemix-letsencrypt

bluemix-letsencrypt is a cf-letsencrypt fork that extends the project to use Bluemix-specific API calls for uploading the acquired certificates into IBM Bluemix.

To run bluemix-letsencrypt, you must first:

  • Have the Bluemix CLI installed and use it to log in to Bluemix
  • Have a custom domain associated with your target org and ensure that you have properly configured DNS for each of the routes you wish to secure

Once you are ready, clone the bluemix-letsencrypt repo to your local system with the command git clone https://github.com/ibmjstart/bluemix-letsencrypt.

Next, update domains.yml with your email address and the custom domain for which you’d like an SSL certificate:

{                                                                                                  
    "email": "email@domain.com",
    "staging": false,
    "domains": [
        {
          "domain": "example.com",
          "hosts": [
            ".",
            "app"
          ]
        }
    ]
}

Add a host entry for each application hostname that you’d like to support. Because Let’s Encrypt doesn’t currently support wildcard certificates, you will need to update the certificate each time you add a new application hostname.

Tip: Leave the first host as ‘.’ so that the subject common name of your certificate will match your custom domain. Each of the other hosts in the hosts array will become DNS Name entries in the Subject Alternative Name (SAN) field.

Running bluemix-letsencrypt

Before running the main script of the project (setup-app.py), make sure you have installed all necessary dependencies with this command: pip install -r requirements.txt.

Now you are ready to request your SSL certificate from Let’s Encrypt with this command: python setup-app.py. This command will:

  • Push the cf-letsencrypt application to Bluemix
  • Map a route for each host in domains.yml
  • Start the application to obtain a certificate
  • Download the certificate to your current working directory
  • Stop the cf-letsencrypt application
  • Upload the certificate to Bluemix

After the script finishes, your configured routes should now be accessible via HTTPS.

Reminder!

The Let’s Encrypt certificate is good for 90 days, but Let’s Encrypt recommends you to renew it closer to the 60-day mark. To avoid the risk of losing your previous certificate, bluemix-letsencrypt DOES NOT perform the update on your behalf (as of the time of this writing). The script will still request an updated certificate and download the .pem files to your working directory, but you must remove the old cert and upload the new one yourself.

We are very grateful to bsyk for the work he’s done on cf-letsencrypt, so be kind and throw some stars his way!

Share this post:

Share on LinkedIn

Add Comment
No Comments

Leave a Reply

Your email address will not be published.Required fields are marked *

More How-tos Stories

Architectural and Practical Guide to IBM Hybrid Integration Platform

In order to remain competitive in today’s world, companies need to be able to integrate internally and externally by connecting sensors, customers and partners with the information in their systems of record. In short, they need to integrate with everything. This guide describes how to approach hybrid integration via common scenarios.

EJBs in BlueMix (with JPA: DB2 and MySQL backends) (packaged server)

This article will use a BlueMix JPA Sample Application with a db2 or mysql database driven by either EJBs or Servlets. JPA (Java Persistence Architecture API) is a set of APIs that is used for reading and writing data to databases via Java objects. An EJB (Enterprise Java Bean) is a server side Java object that contains business logic with special qualities of service (collaborators) such as transactions and security. We’ll provide some code snippets for EJBs and JPA, and also explain the packaging required for deploying this type of application to BlueMix.

Overview of logging options in Bluemix

As an developer or operations person knows, logs are crucial to understanding how their application is being used. Logs are important for understanding when errors happen in an application as well. If you do not have the logs for an application you, can not go back in time to figure out what went wrong in your application. Additionally logs are important for security and audit reasons as well and need to be stored for those types of situations. This post presents three different types of logging mechanisms built into Bluemix and provides pros/cons of each.