Let’s Encrypt have lauched their public beta, and they’re now offering SSL certificates to everyone. The process is very easy and quite easy to automate. However, there’s a catch: these certificates expire in a few days (90 days as of now), so they have to be renewed often. That’s where having the process be simple and automatable helps.
OpenShift doesn’t yet have a way to automate SSL certificate installs; so adding an SSL cert to this blog is going to be a manual process every few days. I’m on the OpenShift silver tier (not yet available in my region, but it’s a perk available to Red Hat employees), so I get to attach a custom cert to my site.
Here’s what I did to get an SSL cert for this blog and enable it: installed the letsencrypt package from the Fedora repos, and ran this command:
$ letsencrypt --text --email=<email-id> --domains log.amitshah.net --agree-tos --renew-by-default --manual certonly --config-dir ~/.letsencrypt/etc --work-dir ~/.letsencrypt/var-lib/ --logs-dir ~/.letsencrypt/var-log/
I had to verify that I actually own the log.amitshah.net domain, so I logged into the OpenShift instance and created a file there as instructed by the prompts during the above command.
This article on the Fedora Magazine has more detail on the letsencrypt command. I gave custom paths for the log, work, and config dirs, as I didn’t want to run the tool as root.
That’s it; I had the certs available in ~/.letsencrypt/etc/. I then went to the OpenShift Online web console and uploaded the files there, and SSL was instantly available on the site.