Cloud
May 13, 2022 By Takeyuki Nakajo 8 min read

How to configure your Cloud Foundry applications so they can be accessed by your custom domain and its SSL certificate.

If you are looking for configuration to get your Cloud Foundry applications accessed via https://<appname>.<your custom domain> instead of the default https://<appname>.mybluemix.net, you can refer to these articles in the documentation: 

If you’re still not quite sure how do the full process, however, this post will provide step-by-step instructions on how to configure your Cloud Foundry applications so they can be accessed by your custom domain and its SSL certificate.

You’ll learn how to do the following:

  1. Add a custom domain
  2. Upload a certificate for your domain
  3. Add an app route with the custom domain
  4. Configure DNS for custom domains
  5. Verify the results

Prerequisites

First, you need to make you have your own domain and its SLL certificate files:

  1. Acquire and register an Internet domain name.
  2. Obtain an SSL certificate, private key and (optionally) an intermediate certificate.

Acquire and register an Internet domain name

You will need to own the domain name that you plan to use. In addition, it must be registered with a DNS service provider that allows you to make configuration changes. For example, I own the tnexample.com domain by using the IBM Cloud Domain Name Service and use the IBM Cloud Internet Service for DNS management. 

If you don’t have a custom domain yet, you can buy a domain from any domain name registrars. Also, you can buy a domain from the IBM Cloud Domain Name Registration service. You can register your new domain here

If you don’t have a DNS service provider, you can use the IBM Cloud Internet Services (CIS). It has the Domain DNS management feature. You can create an instance of CIS here

Obtain an SSL certificate, private key and (optionally) an intermediate certificate

You will need a SSL certificate with your domain and the following files. You can obtain the files from a trusted certificate authority:

  • Certificate: A digital document that binds a public key to the identity of the certificate owner, which enables the certificate owner to be authenticated. A certificate is issued by a certificate authority and is digitally signed by that authority.
  • Private key: An algorithmic pattern used to encrypt messages that only the corresponding public key can decrypt. The private key is also used to decrypt messages that were encrypted by the corresponding public key. The private key is kept on the user system and is protected by a password.
  • Intermediate certificate: The trusted root certificate authority (CA) issues a subordinate certificate specifically to issue end-entity server certificates. This creates a certificate chain that starts at the trusted root CA, passes through the intermediate certificate and, ultimately, ends with the SSL certificate issued to the organization. You can utilize an intermediate certificate to verify the authenticity of the main certificate. 

If you don’t have any certificate authorities, you can use IBM Cloud Secrets Manager to order an SSL certificate from the certificate authority Let’s Encrypt:

1. Add a custom domain

Now you can start to configure your Cloud Foundry applications by adding a custom domain via the IBM Cloud UI (Note: You can also create domains with the ibmcloud command line tool):

  1. Log in to the IBM Cloud UI.
  2. In the banner, expand Manage and click Account:
  3. Click Cloud Foundry in the left pane menu, expand Account resources and click Cloud Foundry orgs.
  4. Click the Cloud Foundry Org name that you plan to use, then click the Domains tab:
  5. Click the Add Domain button.
  6. Enter your custom domain in the text box and select the CF org region that you plan to use, then click the Add button. For my custom domain, I use the tnexample.com domain as I plan to use the CF app route bluemix.tnexample.com:
  7. Click the Add button. After the save operation completes, you should notice a new icon in the SSL Certificate column:

2. Upload a certificate for your domain

  1. Click the Upload icon in the SSL Certificate column for the domain you added in the previous step:
  2. For each field on the Upload Certificate dialog, click the Choose button and select the appropriate file:
  3. Click the Add button and the upload process should begin. This SSL Certification is being uploaded and replicated across our servers. This process could take a few minutes:
  4. Once the upload is complete, you should also see the icon for your domain has changed to a padlock:
  5. If you click on the Details link, you will see a dialog to show the details of the certificate you uploaded:

3. Add an app route with the custom domain

Now that we have a custom domain with the SSL certificate, let’s set up an app that makes use of it. We can either create a brand new app or edit the routes of an existing app:

  1. Click Resource List in the IBM Cloud UI.
  2. Expand the Cloud Foundry Apps section to list your applications.
  3. Click the Cloud Foundry application to see the overview of the app:
  4. Expand the Actions and click Edit routes:
  5. In the Edit Routes dialog, you can add and remove routes. Add a new CF app route with the custom domain and save it:
  6. You will see the newly added CF app route in the details:

4. Configure DNS for custom domains

At this point, you have an app using a route making use of our custom domain. However, if you tried to access your app via the route, it would fail. You need to do some DNS configuration by adding a CNAME record that maps your domain to the hostname of the Cloud Foundry router:

  1. Set up a CNAME record for the custom domain name on your DNS server. Steps for setting up the CNAME record vary depending on your DNS provider. I’m using the DNS management in the IBM Cloud Internet Service (CIS). In the CIS instance page, click the Reliability page, click the DNS tab and then click the Add button in the DNS records section:
  2. Map the custom domain name to the secure endpoint for the IBM Cloud region where your app is running. Use the following region endpoints to provide the URL route that is allocated to your CF organization in IBM Cloud. For example, my app is in IBM Cloud US-South region, and I want to access the app with helloworld.tnexample.com, so I enter the host name helloworld and the alias domain name custom-domain.us-south.cf.cloud.ibm.com in the DNS CNAME record. Cloud Foundry Router endpoints:
    • US-SOUTH: custom-domain.us-south.cf.cloud.ibm.com
    • US-EAST: custom-domain.us-east.cf.cloud.ibm.com
    • EU-DE: custom-domain.eu-de.cf.cloud.ibm.com
    • EU-GB: custom-domain.eu-gb.cf.cloud.ibm.com
    • AU-SYD: custom-domain.au-syd.cf.cloud.ibm.com

      Note: The host to use varies by the region in which your app is hosted.

  3. Once you commit the changes, you will have to wait some period of time for the changes to propagate. Once the DNS changes are propagated, you should be able to access your app via the browser.
  4. If you’re still unable to access your app after a reasonable amount of time, you might find it helpful to run the nslookup command or dig command. For example, I ran it below for helloworld.tnexample.com and it properly resolved to custom-domain.us-south.cf.cloud.ibm.com: 
    $ dig helloworld.tnexample.com

; <<>> DiG 9.10.6 <<>> helloworld.tnexample.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34508
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;helloworld.tnexample.com.        IN        A

;; ANSWER SECTION:
helloworld.tnexample.com. 300        IN        CNAME        custom-domain.us-south.cf.cloud.ibm.com.
custom-domain.us-south.cf.cloud.ibm.com. 60 IN A 169.47.124.23
custom-domain.us-south.cf.cloud.ibm.com. 60 IN A 169.62.254.80
custom-domain.us-south.cf.cloud.ibm.com. 60 IN A 169.46.89.151

;; Query time: 193 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Tue May 03 15:41:40 AEST 2022
;; MSG SIZE  rcvd: 284

5. Verify the results

Now if you try to access your route via the https protocol, the browser should declare your site is properly identified and trusted. For example, the screenshot below shows the certificate details for my app from Chrome:

You can also check by using the curl command:

$ curl -v https://helloworld.tnexample.com
*   Trying 169.62.254.80...
* TCP_NODELAY set
* Connected to helloworld.tnexample.com (169.62.254.80) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=*.tnexample.com
*  start date: Apr 21 01:27:24 2022 GMT
*  expire date: Jul 20 01:27:23 2022 GMT
*  subjectAltName: host "helloworld.tnexample.com" matched cert's "*.tnexample.com"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: helloworld.tnexample.com
> User-Agent: curl/7.64.1
> Accept: */*
> 
< HTTP/1.1 200 OK
....
* Connection #0 to host helloworld.tnexample.com left intact
* Closing connection 0

Conclusion

This post covered how to configure your Cloud Foundry applications with associating your custom domain and its SSL certificate in IBM Cloud, and you’ll now be able to access your application with HTTPS with a valid SSL certificate. I’d like thank Tony Erwin for the article that provided much of the groundwork for this topic.

Was this article helpful?
YesNo
Takeyuki Nakajo
Advanced Customer Support Engineer

More from Cloud
April 8, 2024

IBM Tech Now: April 8, 2024

< 1 min read - ​Welcome IBM Tech Now, our video web series featuring the latest and greatest news and announcements in the world of technology. Make sure you subscribe to our YouTube channel to be notified every time a new IBM Tech Now video is published. IBM Tech Now: Episode 96 On this episode, we're covering the following topics: IBM Cloud Logs A collaboration with IBM watsonx.ai and Anaconda IBM offerings in the G2 Spring Reports Stay plugged in You can check out the…

April 4, 2024

The advantages and disadvantages of private cloud 

6 min read - The popularity of private cloud is growing, primarily driven by the need for greater data security. Across industries like education, retail and government, organizations are choosing private cloud settings to conduct business use cases involving workloads with sensitive information and to comply with data privacy and compliance needs. In a report from Technavio (link resides outside ibm.com), the private cloud services market size is estimated to grow at a CAGR of 26.71% between 2023 and 2028, and it is forecast to increase by…

March 29, 2024

Optimize observability with IBM Cloud Logs to help improve infrastructure and app performance

5 min read - There is a dilemma facing infrastructure and app performance—as workloads generate an expanding amount of observability data, it puts increased pressure on collection tool abilities to process it all. The resulting data stress becomes expensive to manage and makes it harder to obtain actionable insights from the data itself, making it harder to have fast, effective, and cost-efficient performance management. A recent IDC study found that 57% of large enterprises are either collecting too much or too little observability data.…

IBM Newsletters

 Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters