Let's Encrypt on OpenShift

Posted by Amit Shah on December 16, 2015

Let's Encrypt have lauched their public beta, and they're now offering SSL certificates to everyone.  The process is very easy and quite easy to automate.  However, there's a catch: these certificates expire in a few days (90 days as of now), so they have to be renewed often.  That's where having the process be simple and automatable helps.

OpenShift doesn't yet have a way to automate SSL certificate installs; so adding an SSL cert to this blog is going to be a manual process every few days.  I'm on the OpenShift silver tier (not yet available in my region, but it's a perk available to Red Hat employees), so I get to attach a custom cert to my site.

Here's what I did to get an SSL cert for this blog and enable it: installed the letsencrypt package from the Fedora repos, and ran this command:

$ letsencrypt --text --email=<email-id> --domains log.amitshah.net --agree-tos --renew-by-default --manual certonly --config-dir ~/.letsencrypt/etc --work-dir ~/.letsencrypt/var-lib/ --logs-dir ~/.letsencrypt/var-log/

I had to verify that I actually own the log.amitshah.net domain, so I logged into the OpenShift instance and created a file there as instructed by the prompts during the above command.

This article on the Fedora Magazine has more detail on the letsencrypt command.  I gave custom paths for the log, work, and config dirs, as I didn't want to run the tool as root.

That's it; I had the certs available in ~/.letsencrypt/etc/.  I then went to the OpenShift Online web console and uploaded the files there, and SSL was instantly available on the site.