In this article I will demonstrate how to secure your custom domain IBM Bluemix web application by creating your own free SSL certificate using the https://letsencrypt.org/ certification authority.

Introduction

“Let’s Encrypt is a new Certificate Authority: It’s free, automated, and open. In Public Beta” (Feb 2016). Under the covers uses openssl to create SSL certificates and as such there is no “Windows” interface for doing so. I used this opportunity to learn about VirtualBox, Unbuntu and other linux related technologies. I set up a Virtualbox VM for Unbuntu by following the instructions posted here. I then went through a torrid two days of learning how to make Unbuntu work in VirtualBox, changing the resolution of the VM, learning new Linux commands and other weird and wonderful things.

This brought me to the point of being able to create an SSL cert for my Bluemix site.

If you create a website in Bluemix you get a blah.mybluemix.net hosted site as default. http://xominosocket.mybluemix.net is my socket.io chat example I keep running. You can also create your own “route” by  clicking on the icon next to the domain at the top of your application dashboard.

I set an A record in my domain provider so that copper.xomino.com pointed at the bluemix IP address and the site appeared miraculously quickly within a few minutes. The site will work under SSL but the browser whines and complains about it.

The instructions on how to upload your own SSL certificate are posted here – https://developer.ibm.com/bluemix/2014/09/28/ssl-certificates-bluemix-custom-domains/. I followed a similar path and won’t repeat too much as this post is really about Let’s Encrypt

Let’s Encrypt

As I was going through the documentation on how to use Let’s Encrypt the first problem I had was around the auto creation of a certificate. The code reaches out to the internet to check and see if you actually own the domain. When I did this the first time I got the following message telling me that it actually found my site has a certificate already for *.mybluemix.net. That is not surprising at this stage because I haven’t uploaded the correct certificate yet.

So I went the manual route and performed the following:

letsencrypt certonly --manual --email myemailaddress -d copper.xomino.com

This presented me with the following information.

For the manual process to work (to verify that I do in fact own the domain I am claiming to own) I have to make the very specific URL respond with a very specific answer.

To do this is set up a simple route manager in my node code

app.get('/.well-known/acme-challenge/kEEHfqWh8ur-rxYzIF0Ct8cnP_oGvqCXWZweMNDwbX4', function(req, res){
  res.send("kEEHfqWh8ur-rxYzIF0Ct8cnP_oGvqCXWZweMNDwbX4.PQf6X-2A2s213el2HHSOIMzTm2BLIBAtrEdXkFDPGIU");
});

Once checked into the repo and pushed to Bluemix, this then responded appropriately on the web site

I hit Enter on the Unbuntu terminal prompt – et voila !!

As you can see from the above picture I was able to navigate to the folder and find the files. (BTW I had to chmod 777 -R live the folder because permissions were not created correctly when the files were generated by Let’s Encrypt)

Back in Bluemix I am now able to upload the cert.pem and privkey.pem through the manage domains option. As you can see from the image below – there is an insecure icon next to copper.xomino.com

Manage Domains

Once the upload is complete I was able to view the certificate

The route for the application now has a secure icon next to it

Within a few minutes I was then able to access the application using my SSL certificate successfully

Conclusion

Overall this was a relatively painless way of getting a free SSL certificate – and by painless I mean if you know what you are doing with an Unbuntu machine painless. If you don’t, expect a lot of googling. I think it is worth it to learn more about a new (to me) technology and I also have a nefarious docker based reason for learning Unbuntu for the future. This was just the start.

Certificates are only available for 3 months at a time right now – you can read more about the why here (https://community.letsencrypt.org/t/pros-and-cons-of-90-day-certificate-lifetimes/4621).