How to setup Let's Encrypt SSL Certificate on Openshift?
Recently I discovered that I can get a free SSL certificate from Let's Encrypt https://letsencrypt.org/howitworks/ and make it work for my site on Openfshift without paying for certificate and also without paying additionally to the cloud service for hosting custom domain over SSL . Openshift still requires upgrade on paid plan, but it would not charge you additionally for SSL on your custom domain and as long as you use only 3 cartridge it is not going to charge you for anything. So basically I host my site over SSL for free. So the process stards with downloading the Let's Encrypt Tools (Command line tool). The Let's Encrypt tools are available only for Linux and they are prepared for on-premise web server automation, but not for the cloud.
Now the question is how to bring Let's Encrypt Certificate to my site which is hosted on Openshift.
So lets start with the actions ....
Please note again to have SSL over custom domain on Openshift you need a paid plan. It basically charges you 0 fee if you run only 3 cartage's. However it is the paid plan. You also need a Linux instance to run the Let's Encrypt tool. I am using Ubuntu virtual machine.
Step 1: Go on the how it works page https://letsencrypt.org/howitworks/ review it and then download the command line tool from GitHub.
$ git clone https://github.com/letsencrypt/letsencrypt
$ cd letsencrypt
$ ./letsencrypt-auto --help
execute
sudo ./letsencrypt-auto certonly -a manual -d l2interlude.info -d www.l2interlude.info --server https://acme-v01.api.letsencrypt.org/directory
If you agree the tool will generate some hashes for you to setup in your app so later Let's Encrypt service will access these hashes and verify that the domain and the app are yours so you can proceed with generating the certificates.
You will get two screens that look like the one bellow:
Make sure you setup routes and allow access over http for those hashes the Let's Encrypt Tool requires.
My flask code looks like this to ensure the Let's Encrypt service can access the endpoints and verify my app:
@app.route('/.well-known/acme-challenge/as0OmLmtfajtcquH2i2ZTdvOAC_aflyaOdyyqoEfbc8', methods=['GET'])
def well_known_main():
try:
return 'as0OmLmtfajtcquH2i2ZTdvOAC_aflyaOdyyqoEfbc8.fDgNHUUOZuy0G4NuUUMLK9T83QRQlyOyS7v6gXksY4Q', 200
except:
abort(503)
@app.route('/.well-known/acme-challenge/47oNbyTy6QJO_sXy8ZZ_7OXwetuQcLBzvWaAY6hbpd4', methods=['GET'])
def well_known_www():
try:
return '47oNbyTy6QJO_sXy8ZZ_7OXwetuQcLBzvWaAY6hbpd4.fDgNHUUOZuy0G4NuUUMLK9T83QRQlyOyS7v6gXksY4Q', 200
except:
abort(503)
If everything has passed you have to open firefox or other web browses with root rights
sudo firefox
If your are on a paid plan you should be able to use setup the below fields.
click on the browse buttons and navigate to /etc/letsencrypt/live/l2interlude.info/ folder and upload the certificates. Bear in mind if you have not started firefox with root privileges you may not have assess to this folder.
Upload the certificates as follow: On SSL Certificate place fullchain.pem. On Certificate Private Key place privkey.pem.
Save and you should be done. Test by accessing your custom domain over https.
Cheers.
Comments
anonymous user
| 18 Feb 2017
Thanks for a helpful article! One suggestion I'd make is to copy the cert files into somewhere accessible by the logged in user (and chmod them if necessary) so that you don't have to run your web browser as root. That seems like a serious security issue, and unnecessary.