|Private data - secured|
You all probably know that you can create so-called custom domains for your apps in IBM Cloud. Instead of making an app available at mygreatapp.mybluemix.net the app is reachable at myevengreaterapp.example.com. To get there, you would make your domain name known to IBM Cloud by following the instructions. In my case, I first created a new subdomain apps for 4loeser.net at my domain registrar. Then, I pointed the CNAME record to "secure.eu-de.bluemix.net". And last, I added apps.4loeser.net as a domain to IBM Cloud to serve apps hosted in Germany:
|Custom domain added|
Obtaining a wildcard certificate
As written earlier, you can use the letsencrypt wrapper to obtain a certificate for a single app. However, I wanted to obtain a wildcard certificate. For that purpose, I made use of the EFF's certbot tool:
>> git clone https://github.com/certbot/certbot
>> cd certbot
>> ./certbot-auto certonly --manual --preferred-challenges dns --server https://acme-v02.api.letsencrypt.org/directory --email email@example.com --domains *.apps.4loeser.net --no-bootstrap
With the above commands I first fetch the code and change into the new directory. Thereafter, I invoke the certbot tool to guide me take me through the process of obtaining a certificate for "*.apps.4loeser.net". Because it includes an asteriks (*), a wildcard certificate is issued.
Wildcard certificates require a so-called DNS challenge (--preferred-challenges dns), i.e., I have to configure the DNS server to proof that I own or control the domain. certbot prompted me to configure a specific text (seen below) as a DNS TXT record for _acme-challenge.apps.4loeser.net.
|DNS challenge - Let's Encrypt|
>> nslookup -type=TXT _acme-challenge.apps.4loeser.net
Upload and configure certificates on IBM Cloud
In the next step, I uploaded the certificate and private key to the IBM Cloud domain management.
|Add SSL Certificate|
|Custom domain secured|
Add app route and verify SSL
I have a test app based on this Cloud SQL database tutorial featuring Db2. In the IBM Cloud console I navigated to the app and its routes and configured worldcities.apps.4loeser.net. Then, I verified that the route and SSL support are available.
|SSL for custom domain on IBM Cloud|
|SSL certificate is valid|
Knowing how, it is fairly straight-forward and simple to configure custom domains on IBM Cloud and to create and upload SSL certificates for the apps using those domains. Let's Encrypt provides (free) wildcard certificates which makes securing custom domains on IBM Cloud even simpler.
If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.