Manually Renewing HTTPS w/ Let's Encrypt

Intro

A while back, I rolled a personal project, which is a Node app, to Bluemix for lightweight use. I managed to make use of Let's Encrypt for the HTTPS certificate, but only after realizing that there was a bit of a manual aspect to it that is the antithesis of an automated script for such things. Ultimately, after finding some information in a blog post form Marky Roden (of all people), I was able to get moving. The only downside wound up being that time passed, and it came time to renew the certificate before my 90 days was up. Thankfully, I had done some minor documenting of the steps I took, which made updating the HTTPS certificate a bit easier. What follows is some of how I configured my application for easier implementation.

The .well-known/acme-challenge Route

As part of the validation process, the Let's Encrypt / certbot script needs to "call home" to verify your server is who it claims. The exact command I ran with certbot-auto followed the format of:

# lines broken apart for readability
./certbot-auto certonly \
--manual \
--email <my.email@some.com> \
-d <my-domain-name> --agree-tos

*note: you can add --dry-run to the end to... perform a "dry run"

Here's what it looks like when I ran the certbot-auto script:

certbot challenge and response

Marky's example shows handle established in his Node + Express app, providing a response on the given relative path of <domain>/.well-known/acme-challenge/<uuid-string>. This is something that would require manual updating of the code base, so it's naturally the first thing I removed. This was a perfect job for a pair of environment variables, in my opinion. I implemented it in the code as such:

app.get('/.well-known/acme-challenge/'+process.env.LETS_ENCRYPT_ROUTE,
function(req, res){
res.send(process.env.LETS_ENCRYPT_VERIFICATION);
});

This means that so long as my Node app can resove the LETS_ENCRYPT_ROUTE and LETS_ENCRYPT_VERIFICATION values accordingly, I'm in business. This is done rather easily via the "Environment Variables" page of my application's dashboard, in the "user defined" tab.

user defined environment variables

Once this is all done, you can replace the certificates for the custom domain with the freshly generated certificates. I added my certificate files (.pem) as the screen shot shows and it looks good in both the Bluemix dashboard and my Chrome inspector.

replacing the certificates

certificate confirmed on Bluemix

new certificate confirmed in Chrome

Sequence of Events

Generally speaking, the order of events to take are:

  • ensure you have the certbot script on the machine you'll be generating the certificates on
  • ensure your custom domain is set up
  • log into your Bluemix dashboard and go to your environment variables to update with values from the certbot script
  • run the certbot script, obtain the values for the URL path and the response value
  • enter those as the corresponding environment variables (allow for the app to restart, as needed)
  • continue the certbot script, which should now successfully validate

One Hiccup

A strange hiccup I encountered was what I believe to be a false positive in regards to my deletion of the existing (old) certificate. After a few tries, or a minor passage of time, it all rectified itself.

delete certificate timeout

Thoughts

Since Let's Encrypt is now by all regards widely successful, with over 5 million certificates issued, I can't help but wonder how easy this should be on any modern PaaS, such as Bluemix. Gone are the days of needing to pay lots of money for an HTTPS certificate, so the automation, configuration, and management of HTTPS certificates on behalf of the user should be a minor formality, not to mention useful. Do note, Bluemix does have a wild card HTTPS certificate which applies to any of its .mybluemix.net addresses, so this is unique to custom domains.

Bluemix wildcard cert

One Last Call For MWLUG

MWLUG 2016 is nearly here. If you're able to, I really recommend coming to the event, as there are a great many people with a passion for what they do, who are looking to share. It's been a great event each time I've had the pleasure to attend and I'm glad to be going back, and speaking.

You can find me on Friday, the 19th of August, in Ballroom D, from 1:30pm - 2:30pm. It's my aim to expand a bit on the theme I've settled on over the last year, which is a combination of best practices for stability, maintenance, and documentation, along with the incorporation of front-end tooling to enhance the developer's workflow (full abstract below) and ease the task of multi-platform development capabilities. I hope to see you there! 🍻

BP101: A Modernized Developer's Workflow with Domino/XPages

Watch, listen, and feel free to follow-along with a full-stack approach to how to build better applications with Domino/XPages, MVC principles in action in the back-end, RESTful API creation, along with advanced framework implementation in the front-end, with advanced tooling to help automate our coding process, unit tests, and even the ability to mock the back-end for front-end development outside of Domino Designer. This session seeks to help developers advance their workflow and produce higher quality, more performant and optimized applications with the Domino server they already have and the modern front-end tooling they want to incorporate.