Add SSL Certificate to OpenShift App With Custom Domain

As you might read from one of my previous posts I recently switched to OpenShift for hosting carts. For hosting websites I prefer and demand people to use SSL certificates but how to add those in OpenShift?

Add id_rsa.pub to OpenShift

First of all you need to authorize your own laptop / pc to the OpenShift application. I’m using ArchLinux, so this might be slightly different for your own distro- or OS. Learn here more about SSH keys: https://www.openshift.com/developers/remote-access#keys

  • Open terminal on ArchLinux
  • Create a SSH key pair (will create in home folder):
ssh-keygen -t rsa
  • Copy the output of id_rsa.pub (see example here):
ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAgEAwrr66r8n6B8Y0zMF3dOpXEapIQD9DiYQ6D6/
39jSkHNiMMER/GETBbzP83LOcekm02aRjo55ArO7gPPVvCXbrirJu9pkm4AC4BBr
7soyzwbigFruM8G63jSXqpHqJ/ooi168sKMC2b0Ncsi+JlTfNYlDXJVLKEeZgZOI
isaDTUQWTIv1snAizf4iIYENuAkGYGNCL77u5Y5VOu5eQipvFajTnps9QvUx/zdS
sulWM3Bxc/S4IJ67JWHVRpfJxGi3hinRBH8WQdXuUwdJJTiJHKPyYrrM7Q6Xq4TO
LDC6u3BXM1L0gBvHPNOnD5l2Lp5EjUkQ9CBf2j4A4gfH+iWQZyk08esAG/iwArAV
+dkbMWOXL8BN4x5zYgdzoeypQZZ2RKH780MCTSo4WQ19DP8pw+9q3bSFC9H3xYAx
jeTUJOTrTe+mWXXU770gYyQTxa2ycnYrlZucn1S3vsvn6eq7NZZ8NRbyv1n15Ocg
uKOrwPhU3NbKQwtjb0Wsxx1gAmQqIOLTpAdsrAauPxC7TPYA5qQVCphvimKuhQM/
5JrnjspVlthCzuFYUjXOKC3wxz6FFEtwnXu3uC5bVVkmkNadJmD21gD23yk4BraG
IB+X+OTUUI8= [email protected]
  • Now login to the OpenShift website
  • Open SETTINGS
  • Click add a new key
  • Paste your id_rsa.pub and save

    Generate CSR

Now we’re going to genererate a CSR which will be send to your SSL vendor.

  • Find you SSH for your OpenShift application (in console):


  • SSH into your OpenShift application:

Now you’ll see this:

The authenticity of host 'application-server.rhcloud.com (54.227.81.65)' can't be established.
RSA key fingerprint is cf:ee:74:bc:32:32:01:c4:81:01:ea:08:c0:88:65:a7.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'application-server.rhcloud.com,54.227.81.65' (RSA) to the list of known hosts.
  • Dir into the app-root
  • Generate private key:
openssl genrsa -des3 -out my_privkey.key 2048
  • Enter a passphrase twice:
Enter pass phrase for my_privkey.key: XXXXXXXXX
Verifying - Enter pass phrase for my_privkey.key: XXXXXXXXX
  • Now generate CSR:
openssl req -new -key my_privkey.key -out cert.csr
  • Enter all these questions:
Enter pass phrase for my_privkey.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:NL
State or Province Name (full name) []:Noord-Holland
Locality Name (eg, city) [Default City]:Amsterdam
Organization Name (eg, company) [Default Company Ltd]:Techswag
Organizational Unit Name (eg, section) []:Administration
Common Name (eg, your name or your server's hostname) []:techswag.nl
Email Address []:[email protected]
  • Copy the my_privkey.key and save somewhere SAFE:
cat my_privkey.key
-----BEGIN RSA PRIVATE KEY-----
MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFV0YWgxDzANBgNV
BAcMBkxpbmRvbjEWMBQGA1UECgwNRGlnaUNlcnQgSW5jLjERMA8GA1UECwwIRGln
aUNlcnQxHTAbBgNVBAMMFGV4YW1wbGUuZGlnaWNlcnQuY29tMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8+To7d+2kPWeBv/orU3LVbJwDrSQbeKamCmo
wp5bqDxIwV20zqRb7APUOKYoVEFFOEQs6T6gImnIolhbiH6m4zgZ/CPvWBOkZc+c
1Po2EmvBz+AD5sBdT5kzGQA6NbWyZGldxRthNLOs1efOhdnWFuhI162qmcflgpiI
WDuwq4C9f+YkeJhNn9dF5+owm8cOQmDrV8NNdiTqin8q3qYAHHJRW28glJUCZkTZ
wIaSR6crBQ8TbYNE0dc+Caa3DOIkz1EOsHWzTx+n0zKfqcbgXi4DJx+C1bjptYPR
BPZL8DAeWuA8ebudVT44yEp82G96/Ggcf7F33xMxe0yc+Xa6owIDAQABoAAwDQYJ
KoZIhvcNAQEFBQADggEBAB0kcrFccSmFDmxox0Ne01UIqSsDqHgL+XmHTXJwre6D
hJSZwbvEtOK0G3+dr4Fs11WuUNt5qcLsx5a8uk4G6AKHMzuhLsJ7XZjgmQXGECpY
Q4mC3yT3ZoCGpIXbw+iP3lmEEXgaQL0Tx5LFl/okKbKYwIqNiyKWOMj7ZR/wxWg/
ZDGRs55xuoeLDJ/ZRFf9bI+IaCUd1YrfYcHIl3G87Av+r49YVwqRDT0VDV7uLgqn
29XI1PpVUNCPQGn9p/eX6Qo7vpDaPybRtA2R7XLKjQaF9oXWeCUqy1hvJac9QFO2
97Ob1alpHPoZ7mWiEuJwjBPii6a9M9G30nUo39lBi1w=
-----END RSA PRIVATE KEY-----
  • And now the CSR:
cat cert.csr
-----BEGIN CERTIFICATE REQUEST-----
BPZL8DAeWuA8ebudVT44yEp82G96/Ggcf7F33xMxe0yc+Xa6owIDAQABoAAwDQYJ
KoZIhvcNAQEFBQADggEBAB0kcrFccSmFDmxox0Ne01UIqSsDqHgL+XmHTXJwre6D
hJSZwbvEtOK0G3+dr4Fs11WuUNt5qcLsx5a8uk4G6AKHMzuhLsJ7XZjgmQXGECpY
Q4mC3yT3ZoCGpIXbw+iP3lmEEXgaQL0Tx5LFl/okKbKYwIqNiyKWOMj7ZR/wxWg/
MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFV0YWgxDzANBgNV
BAcMBkxpbmRvbjEWMBQGA1UECgwNRGlnaUNlcnQgSW5jLjERMA8GA1UECwwIRGln
aUNlcnQxHTAbBgNVBAMMFGV4YW1wbGUuZGlnaWNlcnQuY29tMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8+To7d+2kPWeBv/orU3LVbJwDrSQbeKamCmo
wp5bqDxIwV20zqRb7APUOKYoVEFFOEQs6T6gImnIolhbiH6m4zgZ/CPvWBOkZc+c
1Po2EmvBz+AD5sBdT5kzGQA6NbWyZGldxRthNLOs1efOhdnWFuhI162qmcflgpiI
WDuwq4C9f+YkeJhNn9dF5+owm8cOQmDrV8NNdiTqin8q3qYAHHJRW28glJUCZkTZ
wIaSR6crBQ8TbYNE0dc+Caa3DOIkz1EOsHWzTx+n0zKfqcbgXi4DJx+C1bjptYPR
BPZL8DAeWuA8ebudVT44yEp82G96/Ggcf7F33xMxe0yc+Xa6owIDAQABoAAwDQYJ
ZDGRs55xuoeLDJ/ZRFf9bI+IaCUd1YrfYcHIl3G87Av+r49YVwqRDT0VDV7uLgqn
29XI1PpVUNCPQGn9p/eX6Qo7vpDaPybRtA2R7XLKjQaF9oXWeCUqy1hvJac9QFO2
97Ob1alpHPoZ7mWiEuJwjBPii6a9M9G30nUo39lBi1qU
-----END CERTIFICATE REQUEST-----

Now you’ll just need to send the CSR and wait ;)
Oh and all above keys were made up

Add SSL to OpenShift

Tricky part because each SSL vendor delivers their SSL certificates on their own specific way, but you have to keep in mind: make sure to complete the chain. A SSL certificate without root CA and intermediate is NOT going to work. In my case I use Comodo PositiveSSL certificates.

  • Open for example the received SSL certificate techswag_nl.crt
  • Now open PositiveSSLCA2.crt and copy the content right at the ending of techswag_nl.crt
  • Final step is to copy content of AddTrustExternalCARoot.crt right at where you just ended in techswag_nl.crt

You need to have:

——-BEGIN CERTIFICATE——–
certificate
——-END CERTIFICATE——–
——-BEGIN CERTIFICATE——–
intermediate
——-END CERTIFICATE——–
——-BEGIN CERTIFICATE——–
root CA
——-END CERTIFICATE——–

Attach the certificate and private key in OpenShift:



Redirect HTTP to HTTPS

After adding a SSL certificate the website will be reachable on http://url.com but also on https://url.com, not what you want. You’ll now just need to place a file .htaccess in the folder of your OpenShift application with the following content:

RewriteEngine on  
 
RewriteCond %{HTTP:X-Forwarded-Proto} !https  
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [R,L]  

Important

Be sure to have no URLs to external content, like fonts, twitter-api, JS or widgets and .CSS. Otherwise you’ll get messages like these in Firefox and Internet Explorer (or any other browser). This is because you’re having mixed content, some are encrypted and some not.


Strong SSL

In above example I’ve requested an 2048 bits certificate, of course if you need a stronger encryption it’s better to use 4096 bits, in that case your request would something like

openssl genrsa -des3 -out my_privkey.key 4096

Dependable on what browser you use or what application (and what cipersuites are allowed and in what order) you can notice this for example:


It might even be possible to use elliptic curve cryptography on OpenShift (ECC), so called forward secrety. It might be useful to consider the goal of your website, is an encryption like ECDH the correct one for your approach and/or needings? Many (older) applications/browsers don’t support it.

Check what curves/fields are supported:

openssl ecparam -list_curves

  secp384r1 : NIST/SECG curve over a 384 bit prime field
  prime256v1: X9.62/SECG curve over a 256 bit prime field

Then create in a way like:

HOME=~/app-root/data openssl ecparam -name prime256v1 -out ca-key.pem -genkey

For more information about forward secrecy and the commands check this URL:
http://wiki.openssl.org/index.php/Command_Line_Utilities

Comments