Letsencrypt

Setting up a secure, custom domain, node.js site on Azure

Marky Roden Azure, Letsencrypt, node.js , , , ,

In this article I will demonstrate the necessary steps to set up a node.js server running https, hosted in Azure.

Introduction

This article is a combination of my own work and a conglomeration of reference point blog articles which I had to find to achieve all of this.

Creating a node.js site on Azure

If you follow the instructions on this site you should be able to create an azure site (Get started with Node.js web apps in Azure App Service)

a1

Creating a custom domain

Once you have registered your new domain (in my case marky.co) you need to go to the azure portal and follow the instructions posted here (Configuring a custom domain name for an Azure cloud service). You cannot do this on your free tier though and this where you have to chose your plan carefully. To be able to interact with Office Add-Ins I need my service to be SSL enabled.

a2 a3

Once you have selected a Basic plan you should get the following options

a4

Assign your site and as the instructions stated – you can “Bring your domain” by changing the CName within your domain name provider DNS management tools.

a5

Adding SSL

There are a number of methods for getting an SSL certificate but I have taken to doing it for free – you can use the same process I detailed here for exposing your node server to manually collect the letsencrypt certificates  (Using Let’s Encrypt to create an SSL certificate for my Bluemix hosted web site) to create the .pem files.

To turn the .pem files into .pfx files you need to follow the openssl instructions here (How To: Get LetsEncrypt working with IIS manually)

openssl pkcs12 -export -out “certificate.pfx” -inkey “privkey.pem” -in “cert.pem” -certfile chain.pem

a6

The certificate.pfx file can then be loaded into the azure portal. When you import the certificate successfully it is displayed on the main blade automatically.

a7

 

Add the SSL binding

a71

aaaah we love the cloud….

a8

a9

IMPORTANT – Restart your instance and there we go

a10

Conclusion

In this article we have seen how to deploy an instance of node.js on Azure, applied a custom domain to it, created an SSL certificate and added to an azure instance. Once this is complete you should have an SSL secured node.js  instance running which can then be used for Office Add-in deployments.

 

Enabling a node.js SSL webserver using Let’s Encrypt .pem certificates

Marky Roden Letsencrypt, node.js , , ,

In this article I will show a simple example of getting a node.js SSL website up and running using the .pem certificates issued from Let’s Encrypt.

Introduction

 

Once you have gone through the process of getting your Let’s Encrypt certificates you will have 4 certificates

w1

You will need to download the root certificate and an intermediate certificate from Let’s Encrypt – https://letsencrypt.org/certificates/

w2

Once you have the root.pem the actual node code to get this running is relatively simple.

 

// Startup Express App
var express = require('express');

var https = require('https');
var http = require('http');
var fs = require('fs');
var app = express();

var options = {
  key: fs.readFileSync('copperCerts/privkey1.pem'),
  cert: fs.readFileSync('copperCerts/cert1.pem'),
  ca: [
    fs.readFileSync('copperCerts/root.pem', 'utf8'),
    fs.readFileSync('copperCerts/chain.pem', 'utf8')
  ]
};

http.createServer(app).listen(8080);
https.createServer(options, app).listen(3000);

 

Adding your Let’s Encrypt SSL certificate into your Domino keyring file

Marky Roden Letsencrypt , , ,

In this article I will show how to use a slightly modified version of IBM help documentation to get your  Let’s Encrypt issues certificate to work as the SSL certificate on your Domino server.

Introduction

Since the introduction of R9.0.1FP3 server we have had the ability to load a TLS certificate into the notes SSL keyring.kyr file. There is existing documentation on how to handle this using the new KYRTOOL and openssl but those instructions are not entirely clear as how they relate to let’s encrypt. This article is as much for my own edification and memory as anything else!

Part of the disconnect was that the instructions from IBM did not match the names fo the files which were created for me by Let’s Encrypt. This community posting helped explain things – https://community.letsencrypt.org/t/how-to-get-crt-and-key-files-from-i-just-have-pem-files/7348/2

Existing IBM instructions

The following article from IBM show how to create the certificate file using openssl Generating a keyring file with a third party CA SHA-2 cert using OpenSSL and KYRTool on a Windows workstation.

In there you will find a link to download the kyrtool – I places the win32 version in my notes client installation directory (C:\Program Files (x86)\IBM\Notes)

Let’s Encrypt

If you follow the instructions in this article you can create your own Let’s Encrypt certificate .pem file(s).

w1

 

I copied all the filed into a c:\certs folder to prevent a lot of typing and to simplify my life.

You will need to download the root certificate and an intermediate certificate from Let’s Encrypt – https://letsencrypt.org/certificates/

w2

Save the files into your c:\certs directory as root.pem and intermediate.pem

Make sure you get the Signed by ISRG Root X1 intermediate

w3

Open a command window in your notes client directory by holding down SHIFT and right clicking on the folder

w4

Open a second command window in the c:\certs directory

Copy the following and then right click into the command window

  • type privkey.pem cert.pem intermediate.pem root.pem > server.txt

w5

Copy the following and back in the C:\Program Files (x86)\IBM\Notes CMD window and right click again

  • kyrtool =”C:\Program Files (x86)\IBM\Notes\notes.ini” verify “C:\certs\server.txt”

You should get the happy message….

w6

The final step is to import the new server.txt file into a new Notes keyring file.

Create a new keyring file by copying the following and right clicking into the C:\Program Files (x86)\IBM\Notes CMD window

  • kyrtool =”C:\Program Files (x86)\IBM\Notes\notes.ini” create -k “C:\Program Files (x86)\IBM\Notes\Data\keyring.kyr” -p password

w7

Then import the server.txt file by again copying the following and right clicking in the C:\Program Files (x86)\IBM\Notes CMD window

  •  kyrtool =”C:\Program Files (x86)\IBM\Notes\notes.ini” import all -k “C:\Program Files (x86)\IBM\Notes\Data\keyring.kyr” -i “C:\certs\server.txt”

w8

You can now

  • take the keyring.kyr and keyring.sth files, copy them into the server’s data directory
  • Configure your website document (or server document) to use the keyring.kyr file
  • restart the http task on the server
  • and it should work….

w9

Conclusion

In this article we have seen how to successfully import the Let’s Encrypt certificates into the notes kry file. This is only part of the story though. As the Let’s Encrypt certificates are only valid for 90 days, this is a laborious repetitive task to have to accomplish on that time frame. Now I know what I am doing, for my local server it shouldn’t take very long to re-do, but this is far from a production solution. I might try and batch file it, that would probably help. We’ll see how annoyed I get when my cert fails right before a client demo 🙂

 

Using Let’s Encrypt to create an SSL certificate for my Bluemix hosted web site

Marky Roden Bluemix, Letsencrypt , , , , ,

In this article I will demonstrate how to secure your custom domain IBM Bluemix web application by creating your own free SSL certificate using the https://letsencrypt.org/ certification authority.

Introduction

Let’s Encrypt is a new Certificate Authority: It’s free, automated, and open. In Public Beta” (Feb 2016). Under the covers uses openssl to create SSL certificates and as such there is no “Windows” interface for doing so. I used this opportunity to learn about VirtualBox, Unbuntu and other linux related technologies. I set up a Virtualbox VM for Unbuntu by following the instructions posted here. I then went through a torrid two days of learning how to make Unbuntu work in VirtualBox, changing the resolution of the VM, learning new Linux commands and other weird and wonderful things.

This brought me to the point of being able to create an SSL cert for my Bluemix site.

If you create a website in Bluemix you get a blah.mybluemix.net hosted site as default. http://xominosocket.mybluemix.net is my socket.io chat example I keep running. You can also create your own “route” by  clicking on the icon next to the domain at the top of your application dashboard.

I set an A record in my domain provider so that copper.xomino.com pointed at the bluemix IP address and the site appeared miraculously quickly within a few minutes. The site will work under SSL but the browser whines and complains about it.

l12

The instructions on how to upload your own SSL certificate are posted here – https://developer.ibm.com/bluemix/2014/09/28/ssl-certificates-bluemix-custom-domains/. I followed a similar path and won’t repeat too much as this post is really about Let’s Encrypt

Let’s Encrypt

As I was going through the documentation on how to use Let’s Encrypt the first problem I had was around the auto creation of a certificate. The code reaches out to the internet to check and see if you actually own the domain. When I did this the first time I got the following message telling me that it actually found my site has a certificate already for *.mybluemix.net. That is not surprising at this stage because I haven’t uploaded the correct certificate yet.

l1

So I went the manual route and performed the following:

letsencrypt certonly --manual --email myemailaddress -d copper.xomino.com

This presented me with the following information.

l2

For the manual process to work (to verify that I do in fact own the domain I am claiming to own) I have to make the very specific URL respond with a very specific answer.

To do this is set up a simple route manager in my node code

app.get('/.well-known/acme-challenge/kEEHfqWh8ur-rxYzIF0Ct8cnP_oGvqCXWZweMNDwbX4', function(req, res){
  res.send("kEEHfqWh8ur-rxYzIF0Ct8cnP_oGvqCXWZweMNDwbX4.PQf6X-2A2s213el2HHSOIMzTm2BLIBAtrEdXkFDPGIU");
});

Once checked into the repo and pushed to Bluemix, this then responded appropriately on the web site

l4

I hit Enter on the Unbuntu terminal prompt – et voila !!

l5

As you can see from the above picture I was able to navigate to the folder and find the files. (BTW I had to chmod 777 -R live the folder because permissions were not created correctly when the files were generated by Let’s Encrypt)

Back in Bluemix I am now able to upload the cert.pem and privkey.pem through the manage domains option. As you can see from the image below – there is an insecure icon next to copper.xomino.com

l6

Manage Domains

l7

Once the upload is complete I was able to view the certificate

l9l8

The route for the application now has a secure icon next to it


 l10

Within a few minutes I was then able to access the application using my SSL certificate successfully

l11

Conclusion

Overall this was a relatively painless way of getting a free SSL certificate – and by painless I mean if you know what you are doing with an Unbuntu machine painless. If you don’t, expect a lot of googling. I think it is worth it to learn more about a new (to me) technology and I also have a nefarious docker based reason for learning Unbuntu for the future. This was just the start.

Certificates are only available for 3 months at a time right now – you can read more about the why here (https://community.letsencrypt.org/t/pros-and-cons-of-90-day-certificate-lifetimes/4621).