How to set up Openshift with let's encrypt (letsencrypt)

Question

How do I set up Openshift app to work with let's encrypt ?

NB Openshift does not work with a simple python webserver approach to server, you need to use the correct port and bind to the correct IP address. Also the app/gear does not necessary have a html root.

(A question which I will post an answer below.)

Answer 1

First, vote here so that OpenShift makes 'Let’s Encrypt' their priority.

My steps will be valid for Django apps, but with small changes you can make them work on any OpenShift gear.
Generate certificate on your localhost/notebook/pc:

1. git clone https://github.com/letsencrypt/letsencrypt to your local computer.
2. cd letsencrypt
3. ./letsencrypt-auto -a manual -d example.com -d www.example.com
   Now you will be asked to confirm you domain ownership.

4. In your app, make sure example.com/.well-known/acme-challenge/{some hash} returns required hash. In django you can add this line to urls.py:

   url(r'^.well-known/acme-challenge/.*', views.https_confirmation, name="https_confirmation"),
   

   and this to view.py:

   def https_confirmation(request):
       if request.META['HTTP_HOST'] == 'www.example.com':
           return HttpResponse("fqTGI3nUiYnelm...", content_type="text/plain")
       else: #naked domain example.com
           return HttpResponse("HASH pre example.com", content_type="text/plain")
   

   If your acme confirmation pages does not show, restart OpenShift app.

5. Just upload created certificates /etc/letsencrypt/archive/example.com to OpenShift web console. Fullchain.pem as SSL Certificate and privkey.pem as Certificate Private Key.

That is it, now you should get A rating on ssllabs.com.
Also, to require Django app to use HTTPS, set these:

1. In settings.py:

   if not DEBUG:
       SESSION_COOKIE_SECURE = True
       CSRF_COOKIE_SECURE = True`
   

2. Create file wsgi/.htaccess and put these lines there:

   RewriteEngine on
   RewriteCond %{HTTP:X-Forwarded-Proto} !https
   RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
   

3. Enable HTTPS for WSGI - in file wsgi/application:

   # make django aware that SSL is turned on
   os.environ['HTTPS'] = "on"
   

   That should be all :) You need to repeat these steps when renewing certificates, so every 90 days(60 days are better, so you do not end up having problems on last possible day). This are pretty annoying steps, so lets hope(and vote) OpenShift will implement Letsencrypt soon!

Answer 2

The answer by Lucus03 is good, I'd just like to add a general comment.

Assumptions You have at least a bronze Openshift account that allows a custom domain. This is working normally and you can access your site (without https). http://www.testdomain.com

We need to follow the manual process. Those who are new to certificates, like me, may not be clear on the general concepts.

Let's Encrypt needs to confirm you control the domain before they issue a certificate. This means putting temporary files on the server that hosts your site. Let's Encrypt then checks for these and issues a certificate.

In the manual process the temporary files get downloaded to your local pc first. Then you manually put the files in the correct location on the server. These text files must be viewable via your site or the process will fail.

Because of the variety of applications using Openshift you will see dfferent software stacks being used. eg http://velin-georgiev-blog.appspot.com/blog/details/5707532110659584 refers to Flask How to set up Openshift with let's encrypt (letsencrypt) by Lucas03 Django

If you can display the temporary files on www.testdomain.com using your browser you can probably ignore the software stack and stick with what you know.