How to setup Let's Encrypt SSL Certificate on Openshift?

Velin Georgiev blog image Recently I discovered that I can get a free SSL certificate from Let's Encrypt and make it work for my site on Openfshift without paying for certificate and also without paying additionally to the cloud service for hosting custom domain over SSL . Openshift still requires upgrade on paid plan, but it would not charge you additionally for SSL on your custom domain and as long as you use only 3 cartridge it is not going to charge you for anything. So basically I host my site over SSL for free. So the process stards with downloading the Let's Encrypt Tools (Command line tool). The Let's Encrypt tools are available only for Linux and they are prepared for on-premise web server automation, but not for the cloud. Now the question is how to bring Let's Encrypt Certificate to my site which is hosted on Openshift. So lets start with the actions .... Please note again to have SSL over custom domain on Openshift you need a paid plan. It basically charges you 0 fee if you run only 3 cartage's. However it is the paid plan. You also need a Linux instance to run the Let's Encrypt tool. I am using Ubuntu virtual machine. Step 1: Go on the how it works page review it and then download the command line tool from GitHub.

$ git clone
$ cd letsencrypt
$ ./letsencrypt-auto --help
Step 2: Since the tool is designed for automation on local web servers like Apache, we cannot benefit much from all the goodies, but however there is a manual way of generating certificates so we will generate them manually and upload them to the Openshift panel. Velin Georgiev blog image execute
sudo ./letsencrypt-auto certonly -a manual -d -d --server
where "" to be your domains. It may ask for root account permissions. This is the first warning you will have to agree with: Velin Georgiev blog image If you agree the tool will generate some hashes for you to setup in your app so later Let's Encrypt service will access these hashes and verify that the domain and the app are yours so you can proceed with generating the certificates. You will get two screens that look like the one bellow: Velin Georgiev blog image Make sure you setup routes and allow access over http for those hashes the Let's Encrypt Tool requires. My flask code looks like this to ensure the Let's Encrypt service can access the endpoints and verify my app:

@app.route('/.well-known/acme-challenge/as0OmLmtfajtcquH2i2ZTdvOAC_aflyaOdyyqoEfbc8', methods=['GET'])
def well_known_main():
        return 'as0OmLmtfajtcquH2i2ZTdvOAC_aflyaOdyyqoEfbc8.fDgNHUUOZuy0G4NuUUMLK9T83QRQlyOyS7v6gXksY4Q', 200

@app.route('/.well-known/acme-challenge/47oNbyTy6QJO_sXy8ZZ_7OXwetuQcLBzvWaAY6hbpd4', methods=['GET'])
def well_known_www():
        return '47oNbyTy6QJO_sXy8ZZ_7OXwetuQcLBzvWaAY6hbpd4.fDgNHUUOZuy0G4NuUUMLK9T83QRQlyOyS7v6gXksY4Q', 200
I have two routes because I am validating two domains. The root domain @ and the www sub domain. Redeploy the app with the new routs and hashes setup before to proceed with the Let's Encrypt tool and "Press ENTER to continue". Test if your new routs . Velin Georgiev blog image If everything has passed you have to open firefox or other web browses with root rights
sudo firefox
to be able to visually browse the certificates in Ubuntu. Login your Openshift account and navigate to your app: Velin Georgiev blog imageVelin Georgiev blog image If your are on a paid plan you should be able to use setup the below fields. Velin Georgiev blog image click on the browse buttons and navigate to /etc/letsencrypt/live/ folder and upload the certificates. Bear in mind if you have not started firefox with root privileges you may not have assess to this folder. Velin Georgiev blog image Upload the certificates as follow: On SSL Certificate place fullchain.pem. On Certificate Private Key place privkey.pem. Save and you should be done. Test by accessing your custom domain over https. Cheers.
anonymous user | 18 Feb 2017

Thanks for a helpful article! One suggestion I'd make is to copy the cert files into somewhere accessible by the logged in user (and chmod them if necessary) so that you don't have to run your web browser as root. That seems like a serious security issue, and unnecessary.