How to use Openshift (PaaS) with Lets Encrypt [Solved]


#1

Assuming the application is called https and the domain names for the the certificate is called www.example.com

First (if not done already) install the rhc tools, hXXps://developers.openshift.com/en/managing-client-tools.html

Second (if not done already) Set up the CNAME record with your DNS provider - at developers.openshift.com/en/managing-domains-ssl.html
Test www.example.com (http) works and directs to your openshift application before preceding.

Third
Log into your application

rhc ssh -a https

From the application, install Simple Let’s Encrypt Client and bring some of the python packages needed up to date

pip install git+https://github.com/kuba/simp_le
pip install --upgrade six
pip install --upgrade setuptools

Now stop the application (gear) Set up a python2 webserver, that with the correct port and correct IP. [$OPENSHIFT_PYTHON_IP & OPENSHIFT_PYTHON_PORT]

(Note this is a one line in python 3.4,
python -m http.server $OPENSHIFT_PYTHON_PORT --bind $OPENSHIFT_PYTHON_IP
but openshift at the time of writing has only python 3.2 or python 2. So a simple python 17 line script is needed)

gear stop
mkdir -p /tmp/http/.well-known/acme-challenge
cd /tmp/http
wget https://gist.githubusercontent.com/bmsleight/bc34254eed0ee458738e/raw/61110fe6e3980f0c6a401acae93f221f56b1eced/simple_acme_server.py
python2 simple_acme_server.py &

Go to the data directory as a good place to store the certificates and let simp_le works its magic

cd ~/app-root/data/
simp_le --email example@example.com -f account_key.json   -f fullchain.pem -f key.pem   -d www.example.com --default_root /tmp/http 

Assuming no errors, stop the python2 webserver, restart the application/gear and exit out of openshift server

killall python2
gear start
exit

Forth
The uploading of the certificates and keys must be done outside of the application, so from your local machine - grab a copy and then upload them (yes scp is the wrong way around - RTFM)

rhc scp -a https download ./ ./app-root/data/fullchain.pem
rhc scp -a https download ./ ./app-root/data/key.pem
rhc alias update-cert https www.example.com --certificate fullchain.pem --private-key key.pem

Fifth
Show some love at letsencrypt.org

I’ve also posted this on hXXp://stackoverflow.com/questions/35105267/how-to-set-up-openshift-with-lets-encrypt-letsencrypt/35105577