LetsEncrypt certs on OpenShift using acme-tiny

Update (17 June 2016): The API for OpenShift has changed and what is described here no longer works and I’ve been unable to figure out how to make it work.

Update (19 July 2016): The API shown below is working again, sometime between the last update and this one things must have changed again with OpenShift.

LetsEncrypt is a new certificate authority that issues free certificates that can be used to offer HTTPS on your website. LetsEncrypt certificates currently have a short lifetime (90 days) and as they are both free and short duration, you are encouraged to automate the issuance and installation of the certs so that your sites never show an expired cert.

OpenShift is RedHat’s Platform-as-a-Service offering that has both free and paid plans and if you are on the bronze plan or above, you can have your custom cert applied to your site. Interestingly enough, the bronze plan still allows 3 small gears to run for free (much like the free plan), so if your application is small enough (like this site) you can still run an HTTPS site for free.

The big gotcha is that for SSL certs on OpenShift, you can’t just drop them in a directory in your gear and point the apache/nginx/whatever web server at the certs and just go. You have to add the certs to your account, either via the web or via their REST api.

The official LetsEncrypt tool is a bit heavy-weight for running on a gear, I’m not even sure if it is possible with all the prerequisites it has, so I’ve chosen to use acme-tiny to implement my solution for LetsEncrypt certs on OpenShift.

Since my code isn’t the prettiest, I’m not going to show it here, but will describe how it works so that you can implement it in your project.

  • Follow the acme-tiny instructions for generating your account key and domain key files, then generate your CSR. I’ve named my CSR files after the short application name in my account (like staging or prod) and included both the official name (like www.example.com) and the rhcloud name (like example-gotmarko.rhcloud.com) so that either will work correctly without browser warnings.
  • Since my gear is running the PHP cartridge, make sure that /.well-known/acme-challenge points to a directory that acme-tiny can write in, I do this by creating a subdirectory $OPENSHIFT_REPO_DIR/.well-known/acme-challenge and linking it back into the directory where the script runs.
  • Script then calls acme-tiny with the account key, domain CSR (based on $OPENSHIFT_APP_NAME) with the challenge dir pointing to the local linked directory, then makes the chained cert like shown in the acme-tiny documentation
  • Backup the keys, CSR, and certs
  • Use the OpenShift REST API to upload the key using curl (where $CERT_FILE is the path to chained cert and $KEY_FILE is the path to the domain.key file):
curl -k -X PUT https://openshift.redhat.com/broker/rest/domains/$OPENSHIFT_NAMESPACE/applications/$OPENSHIFT_APP_NAME/aliases/$ALIAS_NAME --user "<openshift-user>:<openshift-password>" --data-urlencode "ssl_certificate@$CERT_FILE" --data-urlencode "private_key@$KEY_FILE"
  • After first time cert gets installed, you can then add the following to your .htaccess file to force all traffic to be HTTPS except for the /.well-known/acme-challenge path:
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
  • Setup a cron job (add the cron cartridge if not already installed) to run daily and skip all but the day you want run like so:
day=$(date '+%d')
if [ $day != 17 ]; then
# run only 1 day per month, specified above

And there you have it, automatically renewing LetsEncrypt certificates on OpenShift (for the PHP cartridge at least).

Wednesday December 30, 2015   ·   Permalink

Running Textpattern on OpenShift

Yes, it is possible to run Textpattern on Red Hat’s OpenShift platform, this weblog is running there right now.

  1. Sign up for an OpenShift account and install the command line tools
  2. Create an application: rhc app create txpblog php-5.4 mysql-5.5 cron-1.4
  3. cd into txpblog
  4. Unpack your version of textpattern and place the textpattern directory, other directories, and php files into the base directory of the project
  5. commit the change to git
  6. push to OpenShfit with a git push
  7. visit txpblog-domain.rhcloud.com/textpattern/setup.php in your browser to do the setup (you’ll need the mysql username, password, and database name from the output of rhc app show to pass the setup test to get to step 2)
  8. edit the config.php file, but use OpenShift env variables for the mysql connection information and the root directory as shown below
  9. commit and push the change to your OpenShift repo
  10. continue with the setup and when it says to remove setup.php (in step 4), remove it from your local git repo (git rm -r textpattern/setup) and then commit and push the change to the OpenShift repo

Here’s what a config.php file running on OpenShift will look like using the environment variables:

$txpcfg['db'] = 'txpblog';
$txpcfg['user'] = getenv('OPENSHIFT_MYSQL_DB_USERNAME');
$txpcfg['pass'] = getenv('OPENSHIFT_MYSQL_DB_PASSWORD');
$txpcfg['host'] = getenv('OPENSHIFT_MYSQL_DB_HOST');
$txpcfg['table_prefix'] = '';
$txpcfg['txpath'] = getenv('OPENSHIFT_HOMEDIR') . '/app-root/runtime/repo/php/textpattern';
$txpcfg['dbcharset'] = 'utf8';

Using the environment variables makes it easier to use the same config file if you want to use the same git repo to be both your staging site for changes and for your production site running on a different gear.

Friday August 14, 2015   ·   Permalink

Woot-Off Helper Greasemonkey Script

I just realized there was another Woot-Off going on today and I’d never mentioned my Woot-Off Helper Greasemonkey script.

Woot-Off Helper does just two simple things to make it easier to follow a Woot-Off from your browser:

  • Reads the size of the bar between the flashing orange lights and places the percentage at the beginning of the page title
  • Reloads the page every 90 seconds

Now you can just keep a tab open with the Woot page and easily glance at what percentage is left. If you switch to the Woot tab before minimizing it, you should be able to catch the item changes too.

You can also find the Woot-Off Helper on userscripts.org

Thursday August 30, 2007   ·   Permalink

Are you a LumberJock?

If you are a LumberJock (or just aspire to be one like I do) then you should visit LumberJocks. LumberJocks is a growing website that gives the registered “Jocks” a place to post descriptions of their projects along with few photos. Other “Jocks” can rate the projects and leave weblog style comments and questions on the projects they visit.

LumberJocks is still under active development and has recently added forums for discussions amongst the members. There’s also a LumberJocks Blog that you can watch for announcements concerning the site.

The whole LumberJocks site is very cleanly styled and well crafted. I’d guessed it was a Rails app even before scrolling to the bottom and seeing the Rails logo. LumberJocks makes very nice use of Ajax and Rails features to make the site a joy to use. I particularly like the float-over picture viewer used on the project pages; no extra windows popping up or back-buttons to contend with when reviewing the project photos.

Monday May 22, 2006   ·   Permalink

Using SMTP AUTH as a client

If your ISP requires you to use SMTP AUTH to connect up to their mailserver for outbound email (as is the case with SBC/Yahoo) the following links will prove helpful:

Luckily for me, the cable provider I have right now seems to do IP address range checking so I can send outbound via their servers as my Sendmail smart host without setting up SMTP AUTH.

Tuesday March 28, 2006   ·   Permalink

Weather Underground Reorganizer Updated

The Weather Underground Reorganizer has been updated to deal with the new front page layout at Weather Underground. The update also includes reorganizing the tropical weather pages.

Updated 2005-10-11: Updated to reflect new radar page layout and now includes the satellite pages.

Updated 2005-12-18: Updated to work with Greasemonkey 0.6.4, still works with older versions of Greasemonkey too.

Updated 2005-12-24: Updated to work with new layout on regional radar page.

Sunday December 25, 2005   ·   Permalink

Greasemonkey: Snopes Header Shrink

Another Greasemonkey script, this one will shrink the header on Snopes.com so that more content is visible on the page. Actually, removes the header is more like it, along with making sure all the rest of the content moves up to the top of the page.


Monday October 10, 2005   ·   Permalink

Greasemonkey Weather Underground Reorganizer

Greasemonkey rocks!

My first public Greasemonkey user script is a Weather Underground Reorganizer.

It was based upon Matthew Gray’s user script that moved the forecast contents above the header and sidebar.

My version includes Matthew’s re-org and adds a similar re-org on the local and regional radar pages. It also adds direct links to the animated local and regional radar pages where appropriate on the forecast and local radar pages.

I’ve not added any ad blocking to the script, adblock probably would do a fine job on the ads. Weather Underground asks just $5 per year to be ad-free and they give you access to daytime animated radar data as part of the deal, so I’ve been a subscriber for years now.

I hope this script will work for others, and welcome feedback on it. My email address is over in the right side bar.

Saturday April 30, 2005   ·   Permalink

Google Sightseeing: NASCAR Tracks

After seeing the fun posts on the Google Sightseeing pages, I decided to check and see just how many of the race tracks that NASCAR uses I could find. Here’s my list:

If I’ve gotten anything wrong, or you know the Autodromo location, drop me an email.

Updated 12 Jan 2006: Courtesy of Ryan Van Booven, who was locating the tracks in Google Earth, we now have a location for Autodromo Hermanos Rodriguez. Thanks Ryan!

Thursday April 14, 2005   ·   Permalink

Petteri's Pontifications: Sensor Cleaning

Engadget pointed to a well researched and well written article about how to clean the sensor glass in your digital SLR. Instead of using the expensive Sensor Brush or Pec Pads on a spatula, Petteri researched brushes to try and determine a more cost effective solution. Included in the article are pictures showing the before and after view of the sensor dust on a new Canon, and before and after view of a dusty slide.

Sunday March 27, 2005   ·   Permalink

Older Articles→