Free Let’s Encrypt SSL Certificates in Jelastic: Out-of-Box Integration with the Most Popular Software Stacks

By February 1, 2017 HowTo No Comments
Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

One of the key issues we should deal with while hosting production applications is to ensure its security. The very basic and commonly used approach for secure data exchange is encrypting the application traffic with HTTPS protocol.

Beside that, starting from January 1th, 2017 one of the most popular browsers – Google Chrome – have started marking all web-pages, that request specifying password or credit card details and aren’t secured with SSL, as non-secure. Such novelty makes the encryption integration even more essential.

However, issuing and configuring custom SSL certificate for a project can be a rather complicated and time-consuming task. Let’s Encrypt (LE) is a free and open certificate authority, that allows to greatly simplify and automate process of the trusted SSL certificates integration.ssl certificate from let's encrypt

A general trend of moving Web to HTTPS implies the complete automation of custom SSL certificates issuing and appliance. Thus, Jelastic developers have made a great job on combining Let’s Encrypt service and Jelastic Packaging Standard (JPS), to implement a solution that allows to get rid from carrying out regular certificates renewal.

The key advantage of this solution is a unique out-of-box integration with the most popular load balancer and application server stacks. In such a way, it gives a possibility to freely secure the majority of existing applications that are run in Jelastic.

Being provisioned as an add-on, this solution can be easily installed on top of any environment with the following servers as an entry point (the list is constantly extended):

  • Load Balancers – NGINX, Apache LB, HAProxy
  • Java application servers – Tomcat 6/7/8/9, TomEE, GlassFish 3/4, Jetty 6
  • PHP application servers – Apache PHP, NGINX PHP
  • Ruby application servers – Apache Ruby, NGINX Ruby

Other stacks support is going to be implemented further – please let us know if the particular one is required to accelerate its integration.

How It Works

During the installation, the add-on downloads and configures Let’s Encrypt client (so-called certificate management agent (CMA)), requests certificates from Let’s Encrypt Certificate Authority (CA), applies issued certificates to running software stack according to its SSL integration specifics and adds a special cron job to initiate certificates update when the expiration date is close.

Domain Control Validation

Upon the certificates issuing request, Let’s Encrypt CA checks the entry point of the environment at 443 port in order to prove that the given web-server controls the specified domains. Herewith, during the domain validation process, all incoming HTTPS traffic will be internally routed to the custom 9999 port where the corresponding CMA is run. Thus, a brief 2 seconds drop can occur in HTTPS traffic processing for the time of this verification procedure. At the same time, all the HTTP traffic, received at the 80 port by default, continue being processed without any interruption. 

In case a layer contains several same-type nodes, during the update period all incoming HTTPS traffic will be additionally routed to the master node where the CMA is run. This is achieved through setting special temporary DNAT routing rules so the domain validation request can be handled by the CMA.ssl configuration with let's encrypt

Since such redirection is required only during domain validation, these special DNAT settings will be removed just after the hostname correspondence is confirmed.

After successful domain validation, CMA gets the ability to request, renew and revoke SSL certificates for specified domains, so it will automatically generate the appropriate SSL key pair. As a result, the issued certificates will be propagated to all nodes within the entry point layer via Jelastic API, so the application will be properly configured for the further work via HTTPS.  

Despite the long description, all of these operations are handled just in a matter of minutes. Now, let’s find out how to actually initiate the Let’s Encrypt add-on installation.

Let’s Encrypt SSL Add-On Installation

To get SSL certificate for the environment hostname, perform the following:

1. Log into Jelastic dashboard and click Import at the top tools pane.let's encrypt trusted ssl

2. Switch to the URL tab within the opened frame and specify the link to the following manifest.jps file from the appropriate add-on repository:

https://github.com/jelastic-jps/lets-encrypt/blob/master/manifest.jps

Click Import to proceed.let's encrypt ssl

3. After the required data is fetched, you’ll see the Let’s Encrypt SSL add-on installation window. let's encrypt certificate authority

Here, you can choose between two options:

  • Internal Domain – creates dummy (invalid) SSL certificates for the environment internal URL (env_name.{hoster_domain}) to be used for testing purposes
  • Custom Domain – allows to get valid SSL certificate for the environment with the preliminary attached external domains; to declare multiple domains, use space, comma or semicolon separator, for example:get let's encrypt certificates

Pay attention that specified custom domains should be bound to the environment beforehand, via either CNAME or A Record. Otherwise, the LE service will be installed but the encryption won’t work due to the failed domain verification.

Then, select target environment from the corresponding Environment name list (whilst leaving the automatically chosen Nodes value unchanged) and click on Install to start SSL addition.

Note that the add-on requires Public IP address for proper work. So, in case the environment entry point does not have such, it will be automatically attached during installation (be aware that Public IP is a paid option – the cost can be found within the Quotas & Pricing frame).

4. The installation process may take up to several minutes in order to validate domain name ownage, issue certificates by Let’s Encrypt and apply them.

When finished, you can access the environment Settings > Custom SSL section to check that the HTTPS support is active and find the certificate expiration date.let’s encrypt addon

5. Also you can ensure everything works like intended by trying to open the application over HTTPS:let's encrypt ssl certificate

As you can see, the environment is accessible and the established connection is secure and browser-trusted.

Let’s Encrypt Certificates Update

The assigned certificates will remain valid for 90 days (the expiration date can be seen within the environment Settings > Custom SSL section as it was shown above). The system will check the expiration once per day and initiate the renewal 30 days before that (namely, the update process will be run at 3 AM by a special cron job). You’ll be notified about this via email. In such a way, the application encryption will permanently stay valid without any system administrator involvement required.

In case your application is running at Jelastic Platform of less than 4.9.5 version, you’ll need to initiate the certificates update manually with a single button click upon receiving the appropriate email notification.

Also, this operation can be performed manually at any time. For that, click Add-ons next to the corresponding compute or load balancer node.letsencrypt addon

Next, select the Update button for Let’s Encrypt SSL add-on in the opened tab and confirm this action at the appeared pop-up.

Let’s Encrypt SSL Add-On Removal

If necessary, the Let’s Encrypt SSL add-on can be easily removed from the environment. In order to fulfill this, navigate to the Add-ons tab by clicking the same-named button next to the compute (load balancer) node in the corresponding environment:ssl for custom domains

Within the Let’s Encrypt SSL plank, expand the options list in the top-right corner and select Uninstall. After confirmation the add-on will be removed and attached certificates will be deactivated.

Tip: In case you need to redefine environment domain names the SSL certificate is issued for, simply reinstall the add-on with new parameters (i.e. no preliminary removal is needed). Herewith, stating the same domains will just cause certificates renewal.

That’s it! Now you know how to install and manage Let’s Encrypt add-on for automatic custom SSL configuration of your environment so you can protect almost any application in no time, completely for free and without hardly any efforts.

Subscribe to our blog and find out even more useful articles on cloud hosting trends and solutions.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

Leave a Reply

Subscribe to get the latest updates