Friday, July 13, 2018

How to: Enable Let's Encrypt SSL wildcard certificates for your IBM Cloud apps

Private data - secured
Early last year, I wrote about how to improve security for your custom domains on IBM Cloud. I pointed out that I was using the bluemix-letsencrypt wrapper for Cloud Foundry app to generate and retrieve SSL certificates issued by Let's Encrypt. Today, I am going to introduce you to another option which I am using. Recently, Let's Encrypt announced the support and availability of wildcard certificates. With such a wildcard certificate, all of my IBM Cloud apps available under a custom domain are covered (and secured). So let's take a look at what I did.


Custom domains
You all probably know that you can create so-called custom domains for your apps in IBM Cloud. Instead of making an app available at mygreatapp.mybluemix.net the app is reachable at myevengreaterapp.example.com. To get there, you would make your domain name known to IBM Cloud by following the instructions. In my case, I first created a new subdomain apps for 4loeser.net at my domain registrar. Then, I pointed the CNAME record to "secure.eu-de.bluemix.net". And last, I added apps.4loeser.net as a domain to IBM Cloud to serve apps hosted in Germany:
Custom domain added
As you can see, there is the Upload option for providing SSL certificates available.

Obtaining a wildcard certificate
As written earlier, you can use the letsencrypt wrapper to obtain a certificate for a single app. However, I wanted to obtain a wildcard certificate. For that purpose, I made use of the EFF's certbot tool:

>> git clone https://github.com/certbot/certbot
>> cd certbot
>> ./certbot-auto certonly --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory --email domains@4loeser.net --domains *.apps.4loeser.net --no-bootstrap

With the above commands I first fetch the code and change into the new directory. Thereafter, I invoke the certbot tool to guide me take me through the process of obtaining a certificate for "*.apps.4loeser.net". Because it includes an asteriks (*), a wildcard certificate is issued.

Wildcard certificates require a so-called DNS challenge (--preferred-challenges dns), i.e., I have to configure the DNS server to proof that I own or control the domain. certbot prompted me to configure a specific text (seen below) as a DNS TXT record for _acme-challenge.apps.4loeser.net.
DNS challenge - Let's Encrypt
Once the record was in and I had verified it with the following command, I could proceed. The certbot tool then created and obtained the certificate, a private key and more.
>> nslookup  -type=TXT _acme-challenge.apps.4loeser.net

Upload and configure certificates on IBM Cloud
In the next step, I uploaded the certificate and private key to the IBM Cloud domain management.
Add SSL Certificate
Thereafter, the "Upload" option was gone and a nice lock appeared. My custom domain seems to be secured.
Custom domain secured
Optional: I uploaded the certificate and private key to the IBM Cloud Certificate Manager. Thereby, I am going to receive notifications ahead of the certificate expiration date.

Add app route and verify SSL
I have a test app based on this Cloud SQL database tutorial featuring Db2. In the IBM Cloud console I navigated to the app and its routes and configured worldcities.apps.4loeser.net. Then, I verified that the route and SSL support are available.
SSL for custom domain on IBM Cloud
By clicking on the lock icon and "Secure", it is possible to view details of the SSL certificate.
SSL certificate is valid
Conclusions
Knowing how, it is fairly straight-forward and simple to configure custom domains on IBM Cloud and to create and upload SSL certificates for the apps using those domains. Let's Encrypt provides (free) wildcard certificates which makes securing custom domains on IBM Cloud even simpler.

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.