SSL Certificates - Lernwerkstatt/site GitHub Wiki

Install Let's Encrypt

brew install letsencrypt

Set Deployment Settings

Turn off https only flag in the deployment settings.

Get the Express server ready

Add this middleware to your Express app. Be sure to add it BEFORE any middleware that redirects http to https, because this endpoint must be http.

// Read the Certbot response from an environment variable; we'll set this later:

const letsEncryptReponse = process.env.CERTBOT_RESPONSE;

// Return the Let's Encrypt certbot response:
app.get('/.well-known/acme-challenge/:content', function(req, res) {
  res.send(letsEncryptReponse);
});

Create the certificate files using certbot

  1. Start certbot: sudo certbot certonly --manual
  2. Enter the site url when prompted (die-lernwerkstatt.org)
  3. certbot will display a Challenge Response string in the format: xxxxxxxxxxxxxxxxxxx.yyyyyyyyyyyyyyyyyy
  4. LEAVE CERTBOT WAITING IN THIS STATE. Do not press enter yet or exit.
  5. Go to the deployment dashboard and view app settings: under Settings/Configuration see 'Application Settings'
  6. Create/Edit the CERTBOT_RESPONSE var's value to match the Challenge Response from step a.
  7. Wait for the app to restart.
  8. Test the setting by visiting http://die-lernwerkstatt.org/.well-known/acme-challenge/whatever NOTE THE HTTP, NOT HTTPS
  9. It should display the Challenge Response string. If this happens, go on to the next step. If not, do whatever it takes to get that URL to return the CR string before proceeding, or you will need to repeat this entire process.
  10. Return to Certbot and press Enter to continue.
  11. If all goes as planned, certbot will tell you everything worked and display the location of the created certs. You'll use this location in the next step. Note that you might not be able to inspect the contents of the folder due to OS permissions. If in doubt, sudo ls /etc/letsencrypt/live/www.example.com to see if the files exist.

Convert

Convert .pem to .pfx with openssl:

sudo openssl pkcs12 -inkey /etc/letsencrypt/live/www.die-lernwerkstatt.org/privkey.pem -in /etc/letsencrypt/live/www.die-lernwerkstatt.org/fullchain.pem -export -out ~/Documents/www-cert.pfx
sudo openssl pkcs12 -inkey /etc/letsencrypt/live/die-lernwerkstatt.org/privkey.pem -in /etc/letsencrypt/live/die-lernwerkstatt.org/fullchain.pem -export -out ~/Documents/cert.pfx

Upload

  1. Upload the certificates under TLS/SSL Settings/Private Key Certificates/Upload
  2. Adjust Bindings to point to the new certificates
  3. Note that this whole process should be done twice: for a version with www and without

Reset Deployment Settings

Turn on back https only flag in the deployment settings.

Links:

  1. SO answer on SSL
  2. SO answer on pem to pfx
  3. Medium Article on SSL
  4. Medium Article on SSL