Here are my steps to getting LetsEncrypt set up on Galaxy:
If you already have your certs:
in Galaxy>YourApp>Settings just use your privkey.pem and fullchain.pem
If you don’t have your certs:
On your dev box run: git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto --manual certonly
enter your xxx.mysitename.com
leave this terminal open and open a new one
Switch your ROOT_URL to have http in your prod settings file
remove the force-ssl package if you have it
Add a file to your meteor_dir/public/.well-known/acme-challenge/SOME_LONG_WEIRD_STRING_FROM_THE_OTHER_TERMINAL and add in the contents that they tell you to
deploy to Galaxy
make sure that xxx.mysitename.com/.well-known/acme-challenge/SOME_LONG_WEIRD_STRING_FROM_THE_OTHER_TERMINAL downloads that file.
press enter on the letsencrypt terminal
Now we need to look at the certs but they are owned by root, so run sudo -i
cd /etc/letsencrypt/archive/sitename.com
cp ./* /some_other_directory
exit to get out of the sudo -i
cd to that directory
sudo chown -R username:username ./*
In Galaxy>YourApp>Settings just use your privkey.pem and fullchain.pem
Switch your ROOT_URL to have https and add the force-ssl package
Deploy to Galaxy again
Go to the site and check that https is green in your browser’
A big part of what makes Letsencrypt awesome is the ability to control it from the terminal. That means it should be possible to automate a lot of it. So what if this was as easy as meteor add letsencrypt? What would be necessary to make that happen?
Looks like someone made this for node.js: https://github.com/DylanPiercey/auto-sni. Since it works by creating a server I don’t think we’ll be able to just plug it into Meteor, but someone with more experience on this topic than I can probably figure out how to extract the useful parts and make it pluggable.
Just build it for all Meteor apps! I’m sure MDG will get around to implementing something like this eventually but no reason to wait for or depend on them.
This is an interesting conversation but I have question for the Galaxy team:
Galaxy is hosted on AWS right? And according to AWS certs are free via their certificate manager for apps running on their platform… so how come SSL is not just part of the Galaxy offering?
If I am understanding this correctly it should be a no-brainer free perk included with hosting any app on Galaxy.
Or am I missing something… some small print legal disclaimer somewhere for example.
AWS Certificate Manager Pricing
SSL/TLS certificates provisioned through AWS Certificate Manager are free. You pay only for the AWS resources you create to run your application.
Either AWS or making letsEncrypt SSL a simple checkbox would be a VERY nice addition to Galaxy. And it isn’t a big project for galaxy to add one or the other… but would save your average joe a day of research and implementation.
I am trying to follow these steps. Issue i am facing is that .well_known directory is hidden and is ignored by meteor even when its in public folder. Did you face the same issue ?
What do you mean by “dev box”, could this just be my local environment?
If I’m running this on mac osx where would I run the ‘git clone’ command? The ‘server’ directory within my project folder? Would there be a problem with installing it globally?
Got it. When I tried executing the letsencrypt-auto script I got this message:
WARNING: Mac OS X support is very experimental at present…
if you would like to work on improving it, please ensure you have backups
and then run this script again with the --debug flag!
I’m not familiar enough with bash scripts and the risks they pose to feel confident proceeding after that message. What’s the worst that could happen (not a rhetorical question )?
I realize this might be getting off topic, but any light you can shed on the situation is appreciated.
It may create a black hole. Known to happen.
/sarcasm
Running the --manual flag (which we do) is probably not what they are warning about. It’s the apache auto-config if anything, which we are not doing. So go ahead and do it.
There are a lot of steps here, but it’s all I’ve been able to find regarding setting up LetsEncrypt on Galaxy. I was wondering if someone could better explain these steps:
Add a file to your meteor_dir/public/.well-known/acme-challenge/SOME_LONG_WEIRD_STRING_FROM_THE_OTHER_TERMINAL and add in the contents that they tell you to
yes, adding a ‘response’ file for lets encrypt spider / browser to consume. Similar to google verification etc.
the file is generated by the lets encrypt and you view it on the CLI on your dev machine
they actually give u a bash script to write the file using printf “%s”
ALSO, these 6 commands can be easier (3)
so run sudo -i
cd /etc/letsencrypt/archive/sitename.com
cp ./* /some_other_directory
exit to get out of the sudo -i
cd to that directory
sudo chown -R username:username ./*
instead
cd meteor_app/settings (or other non version controlled folder)
sudo cp /etc/letsencrypt/live/sitename.com/privkey.pem .
sudo cp /etc/letsencrypt/live/sitename.com/fullchain.pem .
).