Step 2: Since the tool is designed for automation on local web servers like Apache, we cannot benefit much from all the goodies, but however there is a manual way of generating certificates so we will generate them manually and upload them to the Openshift panel. execute
$ git clone https://github.com/letsencrypt/letsencrypt $ cd letsencrypt $ ./letsencrypt-auto --help
where "l2interlude.com" to be your domains. It may ask for root account permissions. This is the first warning you will have to agree with: If you agree the tool will generate some hashes for you to setup in your app so later Let's Encrypt service will access these hashes and verify that the domain and the app are yours so you can proceed with generating the certificates. You will get two screens that look like the one bellow: Make sure you setup routes and allow access over http for those hashes the Let's Encrypt Tool requires. My flask code looks like this to ensure the Let's Encrypt service can access the endpoints and verify my app:
sudo ./letsencrypt-auto certonly -a manual -d l2interlude.info -d www.l2interlude.info --server https://acme-v01.api.letsencrypt.org/directory
I have two routes because I am validating two domains. The root domain @ and the www sub domain. Redeploy the app with the new routs and hashes setup before to proceed with the Let's Encrypt tool and "Press ENTER to continue". Test if your new routs . If everything has passed you have to open firefox or other web browses with root rights
@app.route('/.well-known/acme-challenge/as0OmLmtfajtcquH2i2ZTdvOAC_aflyaOdyyqoEfbc8', methods=['GET']) def well_known_main(): try: return 'as0OmLmtfajtcquH2i2ZTdvOAC_aflyaOdyyqoEfbc8.fDgNHUUOZuy0G4NuUUMLK9T83QRQlyOyS7v6gXksY4Q', 200 except: abort(503) @app.route('/.well-known/acme-challenge/47oNbyTy6QJO_sXy8ZZ_7OXwetuQcLBzvWaAY6hbpd4', methods=['GET']) def well_known_www(): try: return '47oNbyTy6QJO_sXy8ZZ_7OXwetuQcLBzvWaAY6hbpd4.fDgNHUUOZuy0G4NuUUMLK9T83QRQlyOyS7v6gXksY4Q', 200 except: abort(503)
to be able to visually browse the certificates in Ubuntu. Login your Openshift account and navigate to your app: If your are on a paid plan you should be able to use setup the below fields. click on the browse buttons and navigate to /etc/letsencrypt/live/l2interlude.info/ folder and upload the certificates. Bear in mind if you have not started firefox with root privileges you may not have assess to this folder. Upload the certificates as follow: On SSL Certificate place fullchain.pem. On Certificate Private Key place privkey.pem. Save and you should be done. Test by accessing your custom domain over https. Cheers.
Thanks for a helpful article! One suggestion I'd make is to copy the cert files into somewhere accessible by the logged in user (and chmod them if necessary) so that you don't have to run your web browser as root. That seems like a serious security issue, and unnecessary.