Security

Adding SSL certificates to apps

Overview

Cloud 66 supports three kinds of SSL certificates:

  1. Standard certificates (via Let’s Encrypt)
  2. Wildcard certificates (via Let’s Encrypt)
  3. External certificates

These solutions are mutually exclusive per app - you cannot mix them (with some servers using #1 and the rest #3, for example).

We describe how to set up each type of certificate below.

Standard certificates

Standard certificates use Let's Encrypt to provision certificates for your domains.

Adding a standard certificate

To add a standard certificate:

  1. If you have not already done so, you must add (or update) your DNS records to point to your application (either directly, or via your load balancer)
  2. Open your application in your Cloud 66 Dashboard
  3. Click on NetworkSSL Certificate in the right-hand panel
  4. Click Add SSL Certificate
  5. Add your domain name and any subdomains (wildcards aren’t supported for this kind of certificate)
  6. Check or uncheck the SSL termination option (depending on your requirements)
  7. Click Create

Cloud 66 will now attempt to add a standard certificate based on your configuration. Watch the timeline to see the outcome.

Cloudflare users need to add a Page Rule to their Cloudflare configuration in order for the process described above to work. If you run into any other problems, consult our troubleshooting doc.

Certificates require updates every 3 months

Let's Encrypt needs to be updated every 3 months, so you should keep this configuration in place to allow for automatic renewal.

How standard certificates work

For standard (i.e. non-wildcard) certificates we create a file with a random name under /etc/cloud66/webroot/ on one of your web servers. Let's Encrypt then tries to connect to your server and download that file via HTTP (i.e. port 80). This confirms that you own and control the domain and thus that a certificate can be issued.

HTTP endpoint required

Let's Encrypt needs a non-secure HTTP endpoint - i.e. <your-application-domain>/.well-known/acme_challenge/* to invoke and reissue certificates.

Wildcard certificates

Wildcard certificates rely on a different method for proving your domain’s ownership. Instead of adding a file to your server, we add a special record (provided by Let’s Encrypt) to your DNS.

Step 1: Set up a DNS provider

In order to enable a wildcard certificate, you first need to set up a DNS provider with Cloud 66. To do so:

  1. Set your domain to be managed by one of the DNS providers below
  2. Configure your DNS provider to allow us to access it securely (see box below for instructions per provider)
  3. Log into your Cloud 66 account and navigate to: Account Settings → External services → DNS Providers
  4. Give your DNS account a name and select your provider from the list
  5. Add the credentials obtained in point 2
  6. Click save

Each DNS provider has specific credentials that need to be created and then added to your Cloud 66 account. Find your provider below for more details.

Amazon Route 53 requires an API Access Key and a Secret Access Key for an AWS account with (at least) the following permissions:

  • route53:ListHostedZones
  • route53:GetChange
  • route53:ChangeResourceRecordSets

You can assign permissions to the account using an IAM policy like the example below. You would need to replace the Hosted Zone ID for the example policy to work properly.

{
    "Version": "2012-10-17",
    "Id": "certbot-dns-route53 sample policy",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "route53:ListHostedZones",
                "route53:GetChange"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect" : "Allow",
            "Action" : [
                "route53:ChangeResourceRecordSets"
            ],
            "Resource" : [
                "arn:aws:route53:::hostedzone/YOURHOSTEDZONEID"
            ]
        }
    ]
}

To generate access keys for an account using your preferred method (web console or CLI) by following this guide.

You can now add Route53 to your Cloud 66 account using these credentials (see above).

If your provider is not listed, consider using RFC 2136 if your provider supports the protocol.

Step 2: Add a wildcard certificate

Once you have have a DNS provider, you can set up a certificate:

  1. Navigate to your application and click on NetworkSSL Certificate in the right-hand panel
  2. Click Add SSL Certificate
  3. Choose your DNS provider from the dropdown
  4. Add your (wildcard) domain name
  5. Check or uncheck the SSL termination option (depending on your requirements)
  6. Click Create

Cloud 66 will now attempt to add a wildcard LetsEncrypt certificate based on your configuration. Watch the timeline to see the outcome.

External certificates

External certificates are SSL certificates that you have obtained from another provider (not Cloud 66) and you are importing into your Cloud 66 application.

Adding an external certificate

To set up an external SSL certificate:

  1. Generate a private key and create a certificate signing request through your command line, without specifying a passphrase
  2. Provide this CSR file to your certificate authority, who will, in turn, provide you with a certificate (CRT) file (download it to your local machine and keep it somewhere safe).
  3. Open your application in your Cloud 66 Dashboard
  4. Click on NetworkSSL Certificate in the right-hand panel
  5. Click Add SSL Certificate and click the External tab
  6. Copy the contents of your private .key and .crt files into their respective fields
  7. You can also add intermediate certificates and specify allowed server names if needed - see below for instructions.
  8. Check or uncheck the SSL termination option (depending on your requirements)
  9. Click Add SSL Certificate

Cloud 66 will now attempt to add the certificate based on your configuration. Watch the timeline to see the outcome.

Intermediate certificates

Some SSL certificate authorities (CA), like RapidSSL, issue certificates that are not fully compatible with all devices (specifically Android devices). This is because they are not the ultimate CAs and usually act as a reseller for other authorities (like VeriSign).

Cloud 66 supports fully these CAs. To use them, copy the contents of your intermediate certificate into the Add SSL Certificate interface (see above).

Multi-domain certificates

When installing multi-domain certificates, certificate authorities such as Comodo typically send you four files:

  1. Root CA Certificate - e.g. AddTrustExternalCARoot.crt
  2. Intermediate CA Certificate - e.g. COMODORSAAddTrustCA.crt
  3. Intermediate CA Certificate - e.g. COMODORSAExtendedValidationSecureServerCA.crt
  4. Your COMODO EV Multi-Domain SSL Certificate - 14637732.crt

To use these, you have to concatenate all files except for the last one (the certificate):

$ cat COMODORSAExtendedValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > bundle_file

You will then copy the contents of the entire bundle file into the Intermediate Certificate field.

Previous
Understanding Traffic Rules