Let's Encrypt on OpenShift

Let's Encrypt have lauched their public beta, and they're now offering SSL certificates to everyone.  The process is very easy and quite easy to automate.  However, there's a catch: these certificates expire in a few days (90 days as of now), so they have to be renewed often.  That's where having the process be simple and automatable helps.

OpenShift doesn't yet have a way to automate SSL certificate installs; so adding an SSL cert to this blog is going to be a manual process every few days.  I'm on the OpenShift silver tier (not yet available in my region, but it's a perk available to Red Hat employees), so I get to attach a custom cert to my site.

Here's what I did to get an SSL cert for this blog and enable it: installed the letsencrypt package from the Fedora repos, and ran this command:

$ letsencrypt --text --email=<email-id> --domains log.amitshah.net --agree-tos --renew-by-default --manual certonly --config-dir ~/.letsencrypt/etc --work-dir ~/.letsencrypt/var-lib/ --logs-dir ~/.letsencrypt/var-log/

I had to verify that I actually own the log.amitshah.net domain, so I logged into the OpenShift instance and created a file there as instructed by the prompts during the above command.

This article on the Fedora Magazine has more detail on the letsencrypt command.  I gave custom paths for the log, work, and config dirs, as I didn't want to run the tool as root.

That's it; I had the certs available in ~/.letsencrypt/etc/.  I then went to the OpenShift Online web console and uploaded the files there, and SSL was instantly available on the site.