SSL certificates

Adding SSL certificates to apps

Overview

Cloud 66 supports three kinds of SSL certificates:

  1. Standard certificates (via Let’s Encrypt)
  2. Wildcard certificates (via Let’s Encrypt)
  3. External certificates

These solutions are mutually exclusive per app - you cannot mix them (with some servers using #1 and the rest #3, for example).

We describe how to set up each type of certificate below.

Standard certificates

Standard certificates use Let's Encrypt to provision certificates for your domains.

Adding a standard certificate

To add a standard certificate:

Cloud 66 will now attempt to add a standard certificate based on your configuration. Watch the timeline to see the outcome.

Cloudflare users need to add a Page Rule to their Cloudflare configuration in order for the process described above to work. If you run into any other problems, consult our troubleshooting doc.

Certificates require updates every 3 months

Let's Encrypt needs to be updated every 3 months, so you should keep this configuration in place to allow for automatic renewal.

How standard certificates work

For standard (i.e. non-wildcard) certificates we create a file with a random name under /etc/cloud66/webroot/ on one of your web servers. Let's Encrypt then tries to connect to your server and download that file via HTTP (i.e. port 80). This confirms that you own and control the domain and thus that a certificate can be issued.

HTTP endpoint required

Let's Encrypt needs a non-secure HTTP endpoint - i.e. <your-application-domain>/.well-known/acme_challenge/* to invoke and reissue certificates.

Wildcard certificates

Wildcard certificates rely on a different method for proving your domain’s ownership. Instead of adding a file to your server, we add a special record (provided by Let’s Encrypt) to your DNS.

Step 1: Set up a DNS provider

In order to enable a wildcard certificate, you first need to set up a DNS provider with Cloud 66. To do so:

  1. Set your domain to be managed by one of the DNS providers below
  2. Configure your DNS provider to allow us to access it securely (see box below for instructions per provider)
  3. Log into your Cloud 66 account and navigate to: Account Settings → External services → DNS Providers
  4. Give your DNS account a name and select your provider from the list
  5. Add the credentials obtained in point 2
  6. Click save

Each DNS provider has specific credentials that need to be created and then added to your Cloud 66 account. Find your provider below for more details.

Amazon Route 53 requires an API Access Key and a Secret Access Key for an AWS account with (at least) the following permissions:

  • route53:ListHostedZones
  • route53:GetChange
  • route53:ChangeResourceRecordSets

You can assign permissions to the account using an IAM policy like the example below. You would need to replace the Hosted Zone ID for the example policy to work properly.

{
    "Version": "2012-10-17",
    "Id": "certbot-dns-route53 sample policy",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "route53:ListHostedZones",
                "route53:GetChange"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect" : "Allow",
            "Action" : [
                "route53:ChangeResourceRecordSets"
            ],
            "Resource" : [
                "arn:aws:route53:::hostedzone/YOURHOSTEDZONEID"
            ]
        }
    ]
}

To generate access keys for an account using your preferred method (web console or CLI) by following this guide.

You can now add Route53 to your Cloud 66 account using these credentials (see above).

If your provider is not listed, consider using RFC 2136 if your provider supports the protocol.

Step 2: Add a wildcard certificate

Once you have have a DNS provider, you can set up a certificate:

Cloud 66 will now attempt to add a wildcard LetsEncrypt certificate based on your configuration. Watch the timeline to see the outcome.

External certificates

External certificates are SSL certificates that you have obtained from another provider (not Cloud 66) and you are importing into your Cloud 66 application.

Adding an external certificate

To set up an external SSL certificate:

Cloud 66 will now attempt to add the certificate based on your configuration. Watch the timeline to see the outcome.

Intermediate certificates

Some SSL certificate authorities (CA), like RapidSSL, issue certificates that are not fully compatible with all devices (specifically Android devices). This is because they are not the ultimate CAs and usually act as a reseller for other authorities (like VeriSign).

Cloud 66 supports fully these CAs. To use them, copy the contents of your intermediate certificate into the Add SSL Certificate interface (see above).

Multi-domain certificates

When installing multi-domain certificates, certificate authorities such as Comodo typically send you four files:

  1. Root CA Certificate - e.g. AddTrustExternalCARoot.crt
  2. Intermediate CA Certificate - e.g. COMODORSAAddTrustCA.crt
  3. Intermediate CA Certificate - e.g. COMODORSAExtendedValidationSecureServerCA.crt
  4. Your COMODO EV Multi-Domain SSL Certificate - 14637732.crt

To use these, you have to concatenate all files except for the last one (the certificate):

$ cat COMODORSAExtendedValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > bundle_file

You will then copy the contents of the entire bundle file into the Intermediate Certificate field.

Configuring Let's Encrypt with Cloudflare

If you route your application traffic through Cloudflare and use a Standard certificate you will need to add a Page Rule to your Cloudflare configuration in order for the server challenge process (see above) to work.

The URL for the page rule should be the challenge URL for your server: http://YOURSITE.com/.well-known/acme-challenge/

To set up your application:

  1. Ensure the challenge file is in the folder
  2. Log into your Cloudflare dashboard and create a new Page Rule
  3. Set the challenge URL as an exact match for the Page
  4. Set SSL to "off"
  5. Set Automatic HTTPS Rewrites to "off"
  6. Set Browser Integrity Check to "off"
  7. Save and deploy the rule (after testing)

The challenge should now succeed. If it does not, read the rest of this guide.

Let's Encrypt certs require updates every 3 months

Let's Encrypt needs to be updated every 3 months, so you should keep all configurations in place to allow for automatic renewal.

Using Cloudflare SSL certificates with Cloud 66

If you’d like to use a certificate issued by Cloudflare (i.e. use Cloudflare as your CA) with your application on Cloud 66, we recommend you use their Full - SSL/TLS encryption mode rather than the default Flexible mode. To enable this:

  1. Generate an Origin CA certificate on your Cloudflare account
  2. Add the resulting certificate as an External Certificate on your Cloud 66 account
  3. Enable Full SSL/TLS encryption mode on your Cloudflare account

For Rails apps, we suggest you set the force_ssl option to true.

Previous
Understanding Traffic Rules