How do I set up Openshift app to work with let's encrypt ?
NB Openshift does not work with a simple python webserver approach to server, you need to use the correct port and bind to the correct IP address. Also the app/gear does not necessary have a html root.
(A question which I will post an answer below.)
First, vote here so that OpenShift makes 'Let’s Encrypt' their priority.
My steps will be valid for Django apps, but with small changes you can make them work on any OpenShift gear.
Generate certificate on your localhost/notebook/pc:
git clone https://github.com/letsencrypt/letsencrypt to your local computer.cd letsencrypt./letsencrypt-auto -a manual -d example.com -d www.example.comIn your app, make sure example.com/.well-known/acme-challenge/{some hash} returns required hash. In django you can add this line to urls.py:
url(r'^.well-known/acme-challenge/.*', views.https_confirmation, name="https_confirmation"),
and this to view.py:
def https_confirmation(request):
if request.META['HTTP_HOST'] == 'www.example.com':
return HttpResponse("fqTGI3nUiYnelm...", content_type="text/plain")
else: #naked domain example.com
return HttpResponse("HASH pre example.com", content_type="text/plain")
If your acme confirmation pages does not show, restart OpenShift app.
/etc/letsencrypt/archive/example.com to OpenShift web console. Fullchain.pem as SSL Certificate and privkey.pem as Certificate Private Key.That is it, now you should get A rating on ssllabs.com.
Also, to require Django app to use HTTPS, set these:
In settings.py:
if not DEBUG:
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True`
Create file wsgi/.htaccess and put these lines there:
RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
Enable HTTPS for WSGI - in file wsgi/application:
# make django aware that SSL is turned on
os.environ['HTTPS'] = "on"
That should be all :) You need to repeat these steps when renewing certificates, so every 90 days(60 days are better, so you do not end up having problems on last possible day). This are pretty annoying steps, so lets hope(and vote) OpenShift will implement Letsencrypt soon!
The answer by Lucus03 is good, I'd just like to add a general comment.
Assumptions You have at least a bronze Openshift account that allows a custom domain. This is working normally and you can access your site (without https). http://www.testdomain.com
We need to follow the manual process. Those who are new to certificates, like me, may not be clear on the general concepts.
Let's Encrypt needs to confirm you control the domain before they issue a certificate. This means putting temporary files on the server that hosts your site. Let's Encrypt then checks for these and issues a certificate.
In the manual process the temporary files get downloaded to your local pc first. Then you manually put the files in the correct location on the server. These text files must be viewable via your site or the process will fail.
Because of the variety of applications using Openshift you will see dfferent software stacks being used. eg http://velin-georgiev-blog.appspot.com/blog/details/5707532110659584 refers to Flask How to set up Openshift with let's encrypt (letsencrypt) by Lucas03 Django
If you can display the temporary files on www.testdomain.com using your browser you can probably ignore the software stack and stick with what you know.
Assuming the application is called https and the domain names for the the certificate is called www.example.com
First (if not done already) install the rhc tools, https://developers.openshift.com/en/managing-client-tools.html
Second (if not done already) Set up the CNAME record with your DNS provider - at developers.openshift.com/en/managing-domains-ssl.html Test www.example.com (http) works and directs to your openshift application before preceding.
Third Log into your application
rhc ssh -a https
From the application, install Simple Let's Encrypt Client and bring some of the python packages needed up to date
pip install git+https://github.com/kuba/simp_le
pip install --upgrade six
pip install --upgrade setuptools
Now stop the application (gear) Set up a python2 webserver, that with the correct port and correct IP. [$OPENSHIFT_PYTHON_IP & OPENSHIFT_PYTHON_PORT]
(Note this is a one line in python 3.4, python -m http.server $OPENSHIFT_PYTHON_PORT --bind $OPENSHIFT_PYTHON_IP but openshift at the time of writing has only python 3.2 or python 2. So a simple python 17 line script is needed)
gear stop
mkdir -p /tmp/http/.well-known/acme-challenge
cd /tmp/http
wget https://gist.githubusercontent.com/bmsleight/bc34254eed0ee458738e/raw/61110fe6e3980f0c6a401acae93f221f56b1eced/simple_acme_server.py
python2 simple_acme_server.py &
Go to the data directory as a good place to store the certificates and let simp_le works its magic
cd ~/app-root/data/
simp_le --email [email protected] -f account_key.json -f fullchain.pem -f key.pem -d www.example.com --default_root /tmp/http
Assuming no errors, stop the python2 webserver, restart the application/gear and exit out of openshift server
killall python2
gear start
exit
Forth The uploading of the certificates and keys must be done outside of the application, so from your local machine - grab a copy and then upload them (yes scp is the wrong way around - RTFM)
rhc scp -a https download ./ ./app-root/data/fullchain.pem
rhc scp -a https download ./ ./app-root/data/key.pem
rhc alias update-cert https www.example.com --certificate fullchain.pem --private-key key.pem
Fifth Show some love at letsencrypt.org
rhc alias update-cert doesn't work server-side.
Answers above are correct but somewhat complicated. I found the answer below simplest, do give it a try. Referring to Let’s Encrypt on OpenShift,
Assuming that you've letsencrypt, create a new folder, say "ssl". Create config, work and logs dir in "ssl" folder. Then run the letsencrypt command.
$ mkdir ssl
$ cd ssl
$ mkdir config work logs
$ letsencrypt --text --email [email protected] --domains www.mydomain.com,mydomain.com,foo.mydomain.com --agree-tos --renew-by-default --manual certonly --config-dir ./config/ --work-dir ./work/ --logs-dir ./logs/
It instructs to upload a file to your openshift deployment. Once you've uploaded, you can proceed and certificates will be at your disposal. Nice and easy.
Also, make sure your endpoints are deployed at "http" protocol and not "https". Else letsencrypt will throw error that it already has a certificate. :-)
If deploying on OpenShift V3+, have a look at https://github.com/ibotty/openshift-letsencrypt for automated letsencrypt certificate management on exposed routes.
