IBM Cloud Foundry: SSL Certificates and Custom Domains

6 min read

How to configure your Cloud Foundry applications so they can be accessed by your custom domain and its SSL certificate.

If you are looking for configuration to get your Cloud Foundry applications accessed via https://<appname>.<your custom domain> instead of the default https://<appname>.mybluemix.net, you can refer to these articles in the documentation: 

Takeyuki-Nakajo

If you're still not quite sure how do the full process, however, this post will provide step-by-step instructions on how to configure your Cloud Foundry applications so they can be accessed by your custom domain and its SSL certificate.

You’ll learn how to do the following:

  1. Add a custom domain
  2. Upload a certificate for your domain
  3. Add an app route with the custom domain
  4. Configure DNS for custom domains
  5. Verify the results

Prerequisites

First, you need to make you have your own domain and its SLL certificate files:

  1. Acquire and register an Internet domain name.
  2. Obtain an SSL certificate, private key and (optionally) an intermediate certificate.

Acquire and register an Internet domain name

You will need to own the domain name that you plan to use. In addition, it must be registered with a DNS service provider that allows you to make configuration changes. For example, I own the tnexample.com domain by using the IBM Cloud Domain Name Service and use the IBM Cloud Internet Service for DNS management. 

If you don't have a custom domain yet, you can buy a domain from any domain name registrars. Also, you can buy a domain from the IBM Cloud Domain Name Registration service. You can register your new domain here

Also, you can buy a domain from the IBM Cloud Domain Name Registration service. You can register your new domain here: 

If you don't have a DNS service provider, you can use the IBM Cloud Internet Services (CIS). It has the Domain DNS management feature. You can create an instance of CIS here

If you don't have a DNS service provider, you can use the IBM Cloud Internet Services (CIS). It has the Domain DNS management feature. You can create an instance of CIS here: 

Obtain an SSL certificate, private key and (optionally) an intermediate certificate

You will need a SSL certificate with your domain and the following files. You can obtain the files from a trusted certificate authority:

  • Certificate: A digital document that binds a public key to the identity of the certificate owner, which enables the certificate owner to be authenticated. A certificate is issued by a certificate authority and is digitally signed by that authority.
  • Private key: An algorithmic pattern used to encrypt messages that only the corresponding public key can decrypt. The private key is also used to decrypt messages that were encrypted by the corresponding public key. The private key is kept on the user system and is protected by a password.
  • Intermediate certificate: The trusted root certificate authority (CA) issues a subordinate certificate specifically to issue end-entity server certificates. This creates a certificate chain that starts at the trusted root CA, passes through the intermediate certificate and, ultimately, ends with the SSL certificate issued to the organization. You can utilize an intermediate certificate to verify the authenticity of the main certificate. 

If you don't have any certificate authorities, you can use IBM Cloud Secrets Manager to order an SSL certificate from the certificate authority Let's Encrypt:

If you don't have any certificate authorities, you can use IBM Cloud Secrets Manager to order an SSL certificate from the certificate authority Let's Encrypt:
If you don't have any certificate authorities, you can use IBM Cloud Secrets Manager to order an SSL certificate from the certificate authority Let's Encrypt:

1. Add a custom domain

Now you can start to configure your Cloud Foundry applications by adding a custom domain via the IBM Cloud UI (Note: You can also create domains with the ibmcloud command line tool):

  1. Log in to the IBM Cloud UI.
  2. In the banner, expand Manage and click Account:
    In the banner, expand Manage and click Account:
  3. Click Cloud Foundry in the left pane menu, expand Account resources and click Cloud Foundry orgs.
  4. Click the Cloud Foundry Org name that you plan to use, then click the Domains tab:
    Click the Cloud Foundry Org name that you plan to use, then click the Domains tab:
  5. Click the Add Domain button.
  6. Enter your custom domain in the text box and select the CF org region that you plan to use, then click the Add button. For my custom domain, I use the tnexample.com domain as I plan to use the CF app route bluemix.tnexample.com:
    Enter your custom domain in the text box and select the CF org region that you plan to use, then click the Add button. For my custom domain, I use the tnexample.com domain as I plan to use the CF app route bluemix.tnexample.com
  7. Click the Add button. After the save operation completes, you should notice a new icon in the SSL Certificate column:
    Click the Add button. After the save operation completes, you should notice a new icon in the SSL Certificate column:

2. Upload a certificate for your domain

  1. Click the Upload icon in the SSL Certificate column for the domain you added in the previous step:
    Click the Upload icon in the SSL Certificate column for the domain you added in the previous step:
  2. For each field on the Upload Certificate dialog, click the Choose button and select the appropriate file:
    For each field on the Upload Certificate dialog, click the Choose button and select the appropriate file:
    For each field on the Upload Certificate dialog, click the Choose button and select the appropriate file:
  3. Click the Add button and the upload process should begin. This SSL Certification is being uploaded and replicated across our servers. This process could take a few minutes:
    Click the Add button and the upload process should begin. This SSL Certification is being uploaded and replicated across our servers. This process could take a few minutes:
  4. Once the upload is complete, you should also see the icon for your domain has changed to a padlock:
    Once the upload is complete, you should also see the icon for your domain has changed to a padlock:
  5. If you click on the Details link, you will see a dialog to show the details of the certificate you uploaded:
    If you click on the Details link, you will see a dialog to show the details of the certificate you uploaded:
    If you click on the Details link, you will see a dialog to show the details of the certificate you uploaded:
    If you click on the Details link, you will see a dialog to show the details of the certificate you uploaded:

3. Add an app route with the custom domain

Now that we have a custom domain with the SSL certificate, let’s set up an app that makes use of it. We can either create a brand new app or edit the routes of an existing app:

  1. Click Resource List in the IBM Cloud UI.
  2. Expand the Cloud Foundry Apps section to list your applications.
  3. Click the Cloud Foundry application to see the overview of the app:
    Click the Cloud Foundry application to see the overview of the app:
  4. Expand the Actions and click Edit routes:
    Expand the Actions and click Edit routes:
  5. In the Edit Routes dialog, you can add and remove routes. Add a new CF app route with the custom domain and save it:
    In the Edit Routes dialog, you can add and remove routes. Add a new CF app route with the custom domain and save it:
  6. You will see the newly added CF app route in the details:
    You will see the newly added CF app route in the details:

4. Configure DNS for custom domains

At this point, you have an app using a route making use of our custom domain. However, if you tried to access your app via the route, it would fail. You need to do some DNS configuration by adding a CNAME record that maps your domain to the hostname of the Cloud Foundry router:

  1. Set up a CNAME record for the custom domain name on your DNS server. Steps for setting up the CNAME record vary depending on your DNS provider. I'm using the DNS management in the IBM Cloud Internet Service (CIS). In the CIS instance page, click the Reliability page, click the DNS tab and then click the Add button in the DNS records section:
    Set up a CNAME record for the custom domain name on your DNS server. Steps for setting up the CNAME record vary depending on your DNS provider. I'm using the DNS management in the IBM Cloud Internet Service (CIS). In the CIS instance page, click the Reliability page, click the DNS tab and then click the Add button in the DNS records section:
    Set up a CNAME record for the custom domain name on your DNS server. Steps for setting up the CNAME record vary depending on your DNS provider. I'm using the DNS management in the IBM Cloud Internet Service (CIS). In the CIS instance page, click the Reliability page, click the DNS tab and then click the Add button in the DNS records section:
  2. Map the custom domain name to the secure endpoint for the IBM Cloud region where your app is running. Use the following region endpoints to provide the URL route that is allocated to your CF organization in IBM Cloud. For example, my app is in IBM Cloud US-South region, and I want to access the app with helloworld.tnexample.com, so I enter the host name helloworld and the alias domain name custom-domain.us-south.cf.cloud.ibm.com in the DNS CNAME record. Cloud Foundry Router endpoints:
    • US-SOUTH: custom-domain.us-south.cf.cloud.ibm.com
    • US-EAST: custom-domain.us-east.cf.cloud.ibm.com
    • EU-DE: custom-domain.eu-de.cf.cloud.ibm.com
    • EU-GB: custom-domain.eu-gb.cf.cloud.ibm.com
    • AU-SYD: custom-domain.au-syd.cf.cloud.ibm.com
      Cloud Foundry Router endpoints:
      Cloud Foundry Router endpoints:
      Note: The host to use varies by the region in which your app is hosted.
  3. Once you commit the changes, you will have to wait some period of time for the changes to propagate. Once the DNS changes are propagated, you should be able to access your app via the browser.
  4. If you’re still unable to access your app after a reasonable amount of time, you might find it helpful to run the nslookup command or dig command. For example, I ran it below for helloworld.tnexample.com and it properly resolved to custom-domain.us-south.cf.cloud.ibm.com:
    $ dig helloworld.tnexample.com
    
    ; <<>> DiG 9.10.6 <<>> helloworld.tnexample.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34508
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
    
    ;; QUESTION SECTION:
    ;helloworld.tnexample.com.        IN        A
    
    ;; ANSWER SECTION:
    helloworld.tnexample.com. 300        IN        CNAME        custom-domain.us-south.cf.cloud.ibm.com.
    custom-domain.us-south.cf.cloud.ibm.com. 60 IN A 169.47.124.23
    custom-domain.us-south.cf.cloud.ibm.com. 60 IN A 169.62.254.80
    custom-domain.us-south.cf.cloud.ibm.com. 60 IN A 169.46.89.151
    
    ;; Query time: 193 msec
    ;; SERVER: 192.168.1.1#53(192.168.1.1)
    ;; WHEN: Tue May 03 15:41:40 AEST 2022
    ;; MSG SIZE  rcvd: 284

5. Verify the results

Now if you try to access your route via the https protocol, the browser should declare your site is properly identified and trusted. For example, the screenshot below shows the certificate details for my app from Chrome:

Now if you try to access your route via the https protocol, the browser should declare your site is properly identified and trusted. For example, the screenshot below shows the certificate details for my app from Chrome:
Now if you try to access your route via the https protocol, the browser should declare your site is properly identified and trusted. For example, the screenshot below shows the certificate details for my app from Chrome:

You can also check by using the curl command:

$ curl -v https://helloworld.tnexample.com
*   Trying 169.62.254.80...
* TCP_NODELAY set
* Connected to helloworld.tnexample.com (169.62.254.80) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=*.tnexample.com
*  start date: Apr 21 01:27:24 2022 GMT
*  expire date: Jul 20 01:27:23 2022 GMT
*  subjectAltName: host "helloworld.tnexample.com" matched cert's "*.tnexample.com"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: helloworld.tnexample.com
> User-Agent: curl/7.64.1
> Accept: */*
> 
< HTTP/1.1 200 OK
....
* Connection #0 to host helloworld.tnexample.com left intact
* Closing connection 0

Conclusion

This post covered how to configure your Cloud Foundry applications with associating your custom domain and its SSL certificate in IBM Cloud, and you'll now be able to access your application with HTTPS with a valid SSL certificate. I'd like thank Tony Erwin for the article that provided much of the groundwork for this topic.

Be the first to hear about news, product updates, and innovation from IBM Cloud