Recently I discovered that I can get a free SSL certificate from Let's Encrypt https://letsencrypt.org/howitworks/ and make it work for my site on Openfshift without paying for certificate and also without paying additionally to the cloud service for hosting custom domain over SSL . Openshift still requires upgrade on paid plan, but it would not charge you additionally for SSL on your custom domain and as long as you use only 3 cartridge it is not going to charge you for anything. So basically I host my site over SSL for free. So the process stards with downloading the Let's Encrypt Tools (Command line tool). The Let's Encrypt tools are available only for Linux and they are prepared for on-premise web server automation, but not for the cloud.
Now the question is how to bring Let's Encrypt Certificate to my site which is hosted on Openshift.
So lets start with the actions ....
Please note again to have SSL over custom domain on Openshift you need a paid plan. It basically charges you 0 fee if you run only 3 cartage's. However it is the paid plan. You also need a Linux instance to run the Let's Encrypt tool. I am using Ubuntu virtual machine.
Step 1: Go on the how it works page https://letsencrypt.org/howitworks/ review it and then download the command line tool from GitHub.
$ git clone https://github.com/letsencrypt/letsencrypt
$ cd letsencrypt
$ ./letsencrypt-auto --help
Step 2: Since the tool is designed for automation on local web servers like Apache, we cannot benefit much from all the goodies, but however there is a manual way of generating certificates so we will generate them manually and upload them to the Openshift panel.
execute
sudo ./letsencrypt-auto certonly -a manual -d l2interlude.info -d www.l2interlude.info --server https://acme-v01.api.letsencrypt.org/directory
where "l2interlude.com" to be your domains. It may ask for root account permissions.
This is the first warning you will have to agree with:
If you agree the tool will generate some hashes for you to setup in your app so later Let's Encrypt service will access these hashes and verify that the domain and the app are yours so you can proceed with generating the certificates.
You will get two screens that look like the one bellow:
Make sure you setup routes and allow access over http for those hashes the Let's Encrypt Tool requires.
My flask code looks like this to ensure the Let's Encrypt service can access the endpoints and verify my app:
@app.route('/.well-known/acme-challenge/as0OmLmtfajtcquH2i2ZTdvOAC_aflyaOdyyqoEfbc8', methods=['GET'])
def well_known_main():
try:
return 'as0OmLmtfajtcquH2i2ZTdvOAC_aflyaOdyyqoEfbc8.fDgNHUUOZuy0G4NuUUMLK9T83QRQlyOyS7v6gXksY4Q', 200
except:
abort(503)
@app.route('/.well-known/acme-challenge/47oNbyTy6QJO_sXy8ZZ_7OXwetuQcLBzvWaAY6hbpd4', methods=['GET'])
def well_known_www():
try:
return '47oNbyTy6QJO_sXy8ZZ_7OXwetuQcLBzvWaAY6hbpd4.fDgNHUUOZuy0G4NuUUMLK9T83QRQlyOyS7v6gXksY4Q', 200
except:
abort(503)
I have two routes because I am validating two domains. The root domain @ and the www sub domain.
Redeploy the app with the new routs and hashes setup before to proceed with the Let's Encrypt tool and "Press ENTER to continue". Test if your new routs .
If everything has passed you have to open firefox or other web browses with root rights
sudo firefox
to be able to visually browse the certificates in Ubuntu.
Login your Openshift account and navigate to your app:
If your are on a paid plan you should be able to use setup the below fields.
click on the browse buttons and navigate to /etc/letsencrypt/live/l2interlude.info/ folder and upload the certificates. Bear in mind if you have not started firefox with root privileges you may not have assess to this folder.
Upload the certificates as follow: On SSL Certificate place fullchain.pem. On Certificate Private Key place privkey.pem.
Save and you should be done. Test by accessing your custom domain over https.
Cheers.