Protecting custom domains with HTTPS and custom SSL certificates

Per default every application deployed on anynines is accessible via a subdomain of a9sapp.eu for both HTTP and SSL protected HTTPS.
However, in most cases applications should be accessible via a custom domain and, of course, this should be also possible via HTTP and HTTPS.

Anynines is based on Cloud Foundry, an open source PaaS. Hence, it is pretty easy to import your own domains and let them point to your application using functionality provided by Cloud Foundry. The anynines team has then added the missing link and created support for custom SSL certificates to protect your custom domains.

Running your applications on anynines gives you the possibility to set up an SSL certificate for your custom domains.

This blogpost guides you through the process of mapping your domain to an application running on anynines, getting and importing a SSL certificate to make your application available through the secure HTTPS protocol.

For hasty readers:

Thats it! The certificate is ready to be used with your application(s).

Keep on reading to figure out how to set up your domains for applications and how to obtain certificates as well as the key mentioned above.

1. Prerequisites

To follow this tutorial you need access to the DNS settings of your domain. This is the case if you have ordered the domain yourself and have access to the customer panel of your domain provider.

Furthermore, this is a tutorial about setting up your domain and SSL certificate so you should be able to deploy an application to anynines. You can refer to this tutorial on how get your application running on anynines. In case you have trouble running your application on anynines don’t hesitate to contact us and our DevOps team will be by your side.

You can reach us via these channels: @anynines, IRC, support.anynines.com.

2. Make your domain available inside of anynines

When pushing an application to anynines the cf command asks you to specify a domain and subdomain. In combination these two represent the URL under which the application can be reached. Per default only de.a9sapp.eu is available as domain.

This step explains how to add your own domain enabling you to map the domain along with all its subdomains to any anynines hosted application you have access to.

a) First you have to point the domain to the anynines servers. To do this, login to the domain providers customer panel and locate the DSN settings for this domain. Once you have them, setup an A-record for this domain. An A-record represents the address of the server the domain should resolve to. This means whenever your domain gets requested through a web browser the public DNS translates the domain to an IP address of a server where the request will arrive.

In our case this should be the anynines clustered load balancer whose IP address is 5.22.148.134. This is the IP your domain has to point to.

If you want to redirect any subdomain and not just the domain itself you have to set up a wildcard DNS A-record with the same IP address as well.

a-records

The picture above shows you how these settings could look like. There is a wildcard DNS A record (*) and a standard DNS A record (@).

Note: After updating this setting it can take up to 24 hours before the changes are applied.

b) Next you have to map the domain to an organization and space. In this space the domain will be available to assign routes (domain + subdomain) to an application. Assuming your cf command targets to anynines and you are logged in, you can change the organization and space like this:

 cf target -o [organization name] -s [space-name]

after that you just type:

cf map-domain [example.com]

and the domain is mapped to your space. You can verify this by executing cf domains and you will see your domain in the printed list.

3. Add a route to assign your domain or subdomain to your application

This step is quite easy. In case you want to push a new application you will be asked for the domain/subdomain. The imported domain from step two will appear in the domain list, ready to be selected.

In case you want to map a route to an existing application just execute:

cf map [appname]

and in this case as well you will be asked for a domain and subdomain.

Note: In both cases you can leave the subdomain blank and your application will be available by the root domain itself.

4. Create a certificate signing request (CSR)

In this step you will generate a certificate signing request (CSR) which you can then submit to a certificate provider of your choice in order to obtain a signed certificate.

As you may know SSL is an asymmetric cryptography process which means both communication partners need a public and a private key to secure the communication between them. A CSR contains all information a certificate provider needs to issue a signed certificate. This information includes a public key which is derived from a private key.

So, first let’s generate your private key using the openssl command line tool.

a) Install openssl

To install openssl on your system execute brew install openssl if you are using Mac OS X with homebrew.

Type apt-get install openssl for Ubuntu.

b) Generate a private key by executing:

openssl genrsa -out server.pass.key 2048

Now you should see a file in your working directory named server.key containing the private key.

c) By using the private key you are able to generate the CSR containing a public key. In order to do this just type:

openssl req -new -key server.key -out server.csr

After executing this command you will be asked for some information that will also be part of the CSR:

genarte-CSR

Most of these fields are self-explaining except the “Common Name” which needs a bit more explanation. This field actually specifies the domain that will be secured by the certificate. As you can see in the example above the domain is specified with an asterisk and a following dot at the beginning. This means you will request a wildcard certificate.

This wildcard certificate can be used to secure the root domain (i.e. any9app.com) and additionally all subdomains such as www.any9app.com or blog.any9app.com.

If you don’t use the “*.” prefix you will request a standard certificate which can only secure the root domain itself or the particular subdomain you have specified as the common name.

After entering all information you should see the CSR as a file in your working directory.

5. Get a signed certificate

Once you have the CSR file you are able to get a signed certificate. The first possibility to get one is to generate a self-signed certificate using the CSR. That actually means you verify that all information in the CSR are correct, by yourself. This is quite simple. Just execute another openssl command:
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
After that you will find the certificate in your working directory.

Be aware: this method has a drawback:

The browsers won’t trust a self signed certificate and will display a warning to the users visiting your web application.

A self signed certificate can be appropriate for a staging environment but it’s not recommended to be used for production.

To get rid of this warning you have to request a signed certificate by a trusted certificate authority such as geotrust, for example. For that you submit the CSR to a certificate provider of your choice and they will check the data you specified in the CSR. For example they will send a confirmation token to “admin@example.com” to be sure you are the owner of the domain.

6. Get the ca certificate

Usually the certificate provider of your choice (certificate authority) provides you a “ca certificate” to verify the authenticity of the certificate provider itself. Actually the ca certificate is a certificate chain also referred to as “chain of trust”. In this chain one certificate gets verified by a higher ordered certificate up to a root certificate. Anyway, you just have to know that you can download the ca certificate from your certificate providers website.

Note: some provider delivers you the ca certificate and the certificate for your domain bundled in a single file.

7. Setup the certificate for your domain

Once you have the files containing the private key from step four, the signed certificate from step five and the ca certificate from step six, you are finally ready to set up your certificate on anynines and this is quite simple.

Go to the certificate management in the anynines customer panel or just click here. Use your anynines credentials you received in the welcome mail to authenticate on the customer panel.

Next, copy the whole content of each file above and paste it into the appropriate field:

Bildschirmfoto 2013-09-10 um 11.30.41

After clicking the “send” button the secured domain appears in the list as you see below:

Bildschirmfoto 2013-09-10 um 11.47.37

All domains in this list will be reachable via HTTP and HTTPS. In case there’s an asterisks at the beginning of the domain name you can map any subdomain to an application and it’s also reachable via HTTPS. The domain name “any9app.com” in parentheses indicates you that the root domain itself it also secured with this certificate.

8. Too complicated?

If you struggle and think it´s this is too complicated and wish to get this done automatically? Then please send us a feature request. We’ll count them and prioritize it according to your upvotes.

One thought on “Protecting custom domains with HTTPS and custom SSL certificates

  1. Pingback: What is anynines and what can it do for you? | anynines blog

Leave a Reply

Your email address will not be published. Required fields are marked *