Guide: Setting up LetsEncrypt SSL on Galaxy


#1

Here are my steps to getting LetsEncrypt set up on Galaxy:

If you already have your certs:

  • in Galaxy>YourApp>Settings just use your privkey.pem and fullchain.pem

If you don’t have your certs:

  • On your dev box run: git clone https://github.com/letsencrypt/letsencrypt
  • cd letsencrypt
  • ./letsencrypt-auto --manual certonly
  • enter your xxx.mysitename.com
  • leave this terminal open and open a new one
  • Switch your ROOT_URL to have http in your prod settings file
  • remove the force-ssl package if you have it
  • Add a file to your meteor_dir/public/.well-known/acme-challenge/SOME_LONG_WEIRD_STRING_FROM_THE_OTHER_TERMINAL and add in the contents that they tell you to
  • deploy to Galaxy
  • make sure that xxx.mysitename.com/.well-known/acme-challenge/SOME_LONG_WEIRD_STRING_FROM_THE_OTHER_TERMINAL downloads that file.
  • press enter on the letsencrypt terminal
  • Now we need to look at the certs but they are owned by root, so run sudo -i
  • cd /etc/letsencrypt/archive/sitename.com
  • cp ./* /some_other_directory
  • exit to get out of the sudo -i
  • cd to that directory
  • sudo chown -R username:username ./*
  • In Galaxy>YourApp>Settings just use your privkey.pem and fullchain.pem
  • Switch your ROOT_URL to have https and add the force-ssl package
  • Deploy to Galaxy again
  • Go to the site and check that https is green in your browser’

Let me know if this works out for you! Cheers


Let's Encrypt support in Galaxy?
Galaxy - webrtc project and pricing?
Meteor Galaxy Pricing?
#3

Wow, what a long list of steps.

A big part of what makes Letsencrypt awesome is the ability to control it from the terminal. That means it should be possible to automate a lot of it. So what if this was as easy as meteor add letsencrypt? What would be necessary to make that happen?


#4

How good would that be!!


#5

Looks like someone made this for node.js: https://github.com/DylanPiercey/auto-sni. Since it works by creating a server I don’t think we’ll be able to just plug it into Meteor, but someone with more experience on this topic than I can probably figure out how to extract the useful parts and make it pluggable.

Right, @energistic?

:slight_smile:


#6

Challenges

  • there isn’t an API (that I know of) to add ssl credentials to galaxy
  • needs to run as sudo
  • shell scripting sucks haha
  • script needs to deploy your app which can have a lot of options
  • Galaxy is a closed-source service which generates revenue, so MDG has a business incentive to implement it - so ask them for this feature :grin:

#7

Just build it for all Meteor apps! I’m sure MDG will get around to implementing something like this eventually but no reason to wait for or depend on them. :slight_smile:


#8

This is an interesting conversation but I have question for the Galaxy team:

Galaxy is hosted on AWS right? And according to AWS certs are free via their certificate manager for apps running on their platform… so how come SSL is not just part of the Galaxy offering?

If I am understanding this correctly it should be a no-brainer free perk included with hosting any app on Galaxy.

Or am I missing something… some small print legal disclaimer somewhere for example.

AWS Certificate Manager Pricing
SSL/TLS certificates provisioned through AWS Certificate Manager are free. You pay only for the AWS resources you create to run your application.


#9

Hey! Thank you!
Native support of SSL would be awesome, :smile:


#10

Either AWS or making letsEncrypt SSL a simple checkbox would be a VERY nice addition to Galaxy. And it isn’t a big project for galaxy to add one or the other… but would save your average joe a day of research and implementation.


#11

Looks like automated LetsEncrypt is on the roadmap!

Announced here: MDG’s plans and priorities


#13

I am trying to follow these steps. Issue i am facing is that .well_known directory is hidden and is ignored by meteor even when its in public folder. Did you face the same issue ?


#14

Try putting another file in your public directory and navigating to that URL to make sure nothing else is going wrong.


#15

Thanks for the list!

What do you mean by “dev box”, could this just be my local environment?

If I’m running this on mac osx where would I run the ‘git clone’ command? The ‘server’ directory within my project folder? Would there be a problem with installing it globally?

Thanks for your attention.


#16

Yes, just your local environment (where you do you development :wink:).

You would do the git clone anywhere but in your project directory.

Not sure what installing it globally means in this context. Just try and see if it works.


#17

Got it. When I tried executing the letsencrypt-auto script I got this message:

WARNING: Mac OS X support is very experimental at present…
if you would like to work on improving it, please ensure you have backups
and then run this script again with the --debug flag!

I’m not familiar enough with bash scripts and the risks they pose to feel confident proceeding after that message. What’s the worst that could happen (not a rhetorical question :slight_smile:)?

I realize this might be getting off topic, but any light you can shed on the situation is appreciated.


#18

It may create a black hole. Known to happen.
/sarcasm

Running the --manual flag (which we do) is probably not what they are warning about. It’s the apache auto-config if anything, which we are not doing. So go ahead and do it.


#19

There are a lot of steps here, but it’s all I’ve been able to find regarding setting up LetsEncrypt on Galaxy. I was wondering if someone could better explain these steps:

I assume we are putting some sort of file that certifies the Galaxy server with LetsEncrypt?


#20

yes, adding a ‘response’ file for lets encrypt spider / browser to consume. Similar to google verification etc.

the file is generated by the lets encrypt and you view it on the CLI on your dev machine
they actually give u a bash script to write the file using printf “%s”

ALSO, these 6 commands can be easier (3)

so run sudo -i
cd /etc/letsencrypt/archive/sitename.com
cp ./* /some_other_directory
exit to get out of the sudo -i
cd to that directory
sudo chown -R username:username ./*

instead

cd meteor_app/settings (or other non version controlled folder)
sudo cp /etc/letsencrypt/live/sitename.com/privkey.pem .
sudo cp /etc/letsencrypt/live/sitename.com/fullchain.pem .

no need to change ownership


#21

Any one knows how to renew letsencrypt certificate for galaxy? Have I to do all the steps as if it was created for the first time??

Thanks


#22

I did all the steps again.