How to use Openshift (PaaS) with Lets Encrypt [Solved]


Assuming the application is called https and the domain names for the the certificate is called

First (if not done already) install the rhc tools, hXXps://

Second (if not done already) Set up the CNAME record with your DNS provider - at
Test (http) works and directs to your openshift application before preceding.

Log into your application

rhc ssh -a https

From the application, install Simple Let’s Encrypt Client and bring some of the python packages needed up to date

pip install git+
pip install --upgrade six
pip install --upgrade setuptools

Now stop the application (gear) Set up a python2 webserver, that with the correct port and correct IP. [$OPENSHIFT_PYTHON_IP & OPENSHIFT_PYTHON_PORT]

(Note this is a one line in python 3.4,
python -m http.server $OPENSHIFT_PYTHON_PORT --bind $OPENSHIFT_PYTHON_IP
but openshift at the time of writing has only python 3.2 or python 2. So a simple python 17 line script is needed)

gear stop
mkdir -p /tmp/http/.well-known/acme-challenge
cd /tmp/http
python2 &

Go to the data directory as a good place to store the certificates and let simp_le works its magic

cd ~/app-root/data/
simp_le --email -f account_key.json   -f fullchain.pem -f key.pem   -d --default_root /tmp/http 

Assuming no errors, stop the python2 webserver, restart the application/gear and exit out of openshift server

killall python2
gear start

The uploading of the certificates and keys must be done outside of the application, so from your local machine - grab a copy and then upload them (yes scp is the wrong way around - RTFM)

rhc scp -a https download ./ ./app-root/data/fullchain.pem
rhc scp -a https download ./ ./app-root/data/key.pem
rhc alias update-cert https --certificate fullchain.pem --private-key key.pem

Show some love at

I’ve also posted this on hXXp://