Skip to main content

Letsencrypt on Openshift

If you really wanted to know you'd have found it but for what it's worth, this site now runs on Redhats OpenShift platform. For a while I've been thinking I should get an SSL cert for the site. Not because of any security concern but because Google and the like rank sites higher up if they are https and; well, this is nonfunctionalarchitect.com and security is a kind of 'thing' if you know what I mean. But certs cost £'s (or $'s or €'s or whatever's). Not real pricey, but still I can think of other things to spend £50 on.

But hello!, along comes letsencrypt.org. A service allowing you to create SSL certs for free! Now in public beta. Whoo hooo!

It isn't particularly pretty at the moment and certs only last 90 days but it seems to work ok. For Openshifts Wordpress gear you can't really do much customization (and probably don't want to) so installing letsencrypt on that looks messier than I'd like. Fortunately you can create a cert offline with letsencrypt and upload it to wordpress. Steps in a nutshell:

  1. Install letsencrypt locally. Use a Linux server or VM preferably.

  2. Request a new manual cert.

  3. Upload the specified file to your site.

  4. Complete cert request.

  5. Upload certificate to openshift.


Commands:

  1. Install letsencrypt:


    1. git clone https://github.com/letsencrypt/letsencrypt



    2. cd letsencrypt




  2. Request a new manual cert:


    1. ./letsencrypt-auto --agree-dev-preview -d <your-full-site-name> --server https://acme-v01.api.letsencrypt.org/directory -a manual auth -v --debug




  3. This command will pause to allow you to create a file and upload it to your website. The file needs to be placed in the /.well-known/acme-challenge folder and has a nice random/cryptic base-64 encoded name (and what appears to be a JWT token as contents). This is provided on screen and mine was called something like KfMsKDV_keq4qa5gkjmOsMaeKN4d1C8zB3W8CnwYaUI with the contents something like KfMsKDV_keq4qa5gkjmOsMaeKN4d1C8zB3W8CnwYaUI.6Ga6-vVZqcFb83jWx7pprzJuL09TQxU2bwgclQFe39w (except that's not the real one...). To upload this to an openshift wordpress gear site:

    1. SSH to the container. The address can be found on the application page on Openshift.Screen Shot 2015-12-03 at 21.45.38

    2. Make a .well-known/acme-challenge folder in the webroot which can be done on the wordpress gear after SSHing via.


      1. cd app-root/data/current



      2. mkdir .well-known



      3. mkdir .well-known/acme-challenge



      4. cd .well-known/acme-challenge




    3. Create the file with the required name/content in this location (e.g. see vi).


      1. vi KfMsKDV_keq4qa5gkjmOsMaeKN4d1C8zB3W8CnwYaUI




    4. Once uploaded and you're happy to contine, press ENTER back on the letsencrypt command as requested. Assuming this completes and manages to download the file you just created you'll get a response that all is well and the certificates and key will have been created.Screen Shot 2015-12-03 at 21.48.09

    5. To upload these certs to your site (from /etc/letsencrypt/live/<your-site-name/ locally), go to the Openshift console > Applications > <your-app> > Aliases and click edit. This will allow you to upload the cert, chain and private key files as below. Note that no passphrase is required.Screen Shot 2015-12-05 at 13.36.59You need to use fullchain.pem as the SSL cert on Openshift.com and leave the cert chain blank. If you don't do this then some browsers will work but other such as Firefox will complain bitterly...

    6. Save this and after a few mins you'll be done.




Once done, you can access the site via a secure HTTPS connection you should see a nice secure icon showing that the site is now protected with a valid cert :)

Screen Shot 2015-12-03 at 22.00.33

Details of letsencrypt.org supported browsers are on their website..

Good luck!

 

Comments

  1. Having just had to walk a supposedly IT literate client team through the whole process of buying and installing a certificate, this is the kind of post that I needed three months ago! Another great post , Mr NFA!

    ReplyDelete
  2. Thank you a lot for this post! :-) I'm going to deploy a Node app on Openshift soon and I've successfully created a cert with help of two great blog posts including this one of yours. It's really awesome that anyone can do it now. I had a thought to use a free StartSSL cert and even registered earlier today but my experience wasn't pleasant from the beginning, they refused to issue a cert saying it's been only two days since I bought a domain name and I should come back "tomorrow". Then I've read a Wikipedia article about them and it's kinda scared me off.
    However, I think I messed up by adding only www subdomain (as Openshift requires a CNAME record pointing to a *rhcloud.com app). Do you think it's ok or I should re-run the procedure and add root domain as well? I'm asking cause I'm not really an expert in web domains stuff and it's my first time I take care of SSL.

    ReplyDelete
  3. I think you should be ok with SSL certs for just the subdomains and I don't believe letsencrypt will provide wildcard SSL certs to cover the root domain and all subs.

    ReplyDelete

Post a comment

Popular posts from this blog

An Observation

Much has changed in the past few years, hell, much has changed in the past few weeks, but that’s another story... and I’ve found a little time on my hands in which to tidy things up. The world of non-functionals has never been so important and yet remains irritatingly ignored by so many - in particular by product owners who seem to think NFRs are nothing more than a tech concern. So if your fancy new product collapses when you get get too many users, is that ok? It’s fair that the engineering team should be asking “how many users are we going to get?”,   or “how many failures can we tolerate?” but the only person who can really answer those questions is the product owner.   The dumb answer to these sort of question is “lots!”, or “none!” because at that point you’ve given carte-blanche to the engineering team to over engineer... and that most likely means it’ll take a hell of a lot longer to deliver and/or cost a hell of a lot more to run. The dumb answer is also “only a couple” and “

Inter-microservice Integrity

A central issue in a microservices environment is how to maintain transactional integrity between services. The scenario is fairly simple. Service A performs some operation which persists data and at the same time raises an event or notifies service B of this action. There's a couple of failure scenarios that raise a problem. Firstly, service B could be unavailable. Does service A rollback or unpick the transaction? What if it's already been committed in A? Do you notify the service consumer of a failure and trigger what could be a cascading failure across the entire service network? Or do you accept long term inconsistency between A & B? Secondly, if service B is available but you don't commit in service A before raising the event then you've told B about something that's not committed... What happens if you then try to commit in A and find you can't? Do you now need to have compensating transactions to tell service B "oops, ignore that previous messag

Equifax Data Breach Due to Failure to Install Patches

"the Equifax data compromise was due to their failure to install the security updates provided in a timely manner." Source: MEDIA ALERT: The Apache Software Foundation Confirms Equifax Data Breach Due to Failure to Install Patches Provided for Apache® Struts™ Exploit : The Apache Software Foundation Blog As simple as that apparently. Keep up to date with patching.