Recently, we added HTTPS to webstandup.com using LetsEncrypt. This is a list of steps documenting what I needed to do and the problems I encountered.
Please note, that LetsEncrypt is still in beta so these instructions may be outdated at the time of reading. However, the basic concept of this process is that
- you install LetsEncrypt's CertBot on your server. This is basically a program that verifies you own the domain name you want the certificate for by listening to a port on your computer (generally port 80) and then make a call to this domain name.
- Once it verifies the domain name, it’ll generate a certificate for it
- You copy this certificate to your dev machine and then reference it in your MUP configuration
- you run mup setup and mup deploy
Installing CertBot
This is a good guide on how to install CertBot (https://certbot.eff.org/#ubuntutrusty-other) for your web server and OS.
For me, to install CertBot, I ran these commands on the server
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
Running CertBot
After installation, you can start CertBot by running
./certbot-auto certonly
CertBot should now load and should give you two options - either webroot or standalone.
I picked standalone. It would actually be nicer if I used the webroot version (and I still might try later on) but I could not get it working with MUP at this time. The difference is standalone creates its own server using port 80 or 443 to do the verification which means you basically need to stop your app for a small period of time when you want to run CertBot to renew your cert (every 3 months). Webroot uses an existing web server which means there’s no down time.
Anyway, after selecting standalone, you’ll be told to enter your domain name. I entered the www version of my address (eg. www.webstandup.com) and then used GoDaddy's forwarding to redirect all root domain (eg. webstandup.com) traffic. See this link for instructions.
Also at this point, you should probably make sure that you have your port 80 and 443 end points open.
If this is successful, the certificates will be successfully created at this location /etc/letsencrypt
Getting the certificate to your local machine
Firstly, you might want to backup your letsencrypt folder for safe keeping. To do that
cd /etc
package the output folder up tar -cvvf letsencrypt_yyyymmdd.tar letsencrypt
On your local box, run the following
scp root@xx.xx.xx.xx:/etc/letsencrypt_yyyymmdd.tar letsencrypt_yyyymmdd.tar
Next you want to go to your cert folder which should exist at /etc/letsencrypt/live/[domainname] and concatenate the cert chains together by running this command
cat fullchain.pem privkey.pem > ssl.pem
Copy the ssl.pem to your local computer, preferably next to your mup.json file - you will be referencing it.
Referencing certificate in your mup.json file
You need to make the following changes to your mup file
Insert the following
"ssl": {
"pem": "./ssl.pem"
},
Your ROOT_URL should now begin with https.
I had to change my Port to 80. I’m not sure why this is. Previously I had Webstandup run off port 3000 privately. I just had my public port 80 traffic routed to private port 3000 and it seemed to be okay but MUP did not seem to like this with SSL.
Anyway, after you’ve made those changes, you should be able to run mup setup and mup deploy.
Turning off site next time you want to run CertBot
So LetsEncrypt certs expire after three months so at minimum you'll need to get new certificates every three months. I haven't actually run the renewal process yet and I'll document it on here once I do but this is the disadvantage of the standalone plugin because every three months, you basically need to shut down your app so that you can run your CertBot server.
To do that with your Meteor app, you need to shut down your meteor app which will be listening to port 80 and you need to shut down Stud - which is MUP's SSL terminator and will be listening to port 443.
To shut down the app, just in your local machine's mup folder, run this
mup stop
To shut down Stud, on your server run the following
sudo stop stud
Remember to run mup setup && mup deploy once you're finished with CertBot.
Renewing certificate
In order to renew the certificate, just need to do the following steps
- load into server
- run ./certbot-auto renew
- run sudo service nginx restart
- (optional) to check if it worked, can always go to the site and check the certificate's due date
Top comments (0)