Guide: Setting up LetsEncrypt SSL on Galaxy

Challenges

  • there isn’t an API (that I know of) to add ssl credentials to galaxy
  • needs to run as sudo
  • shell scripting sucks haha
  • script needs to deploy your app which can have a lot of options
  • Galaxy is a closed-source service which generates revenue, so MDG has a business incentive to implement it - so ask them for this feature :grin:
4 Likes

Just build it for all Meteor apps! I’m sure MDG will get around to implementing something like this eventually but no reason to wait for or depend on them. :slight_smile:

This is an interesting conversation but I have question for the Galaxy team:

Galaxy is hosted on AWS right? And according to AWS certs are free via their certificate manager for apps running on their platform… so how come SSL is not just part of the Galaxy offering?

If I am understanding this correctly it should be a no-brainer free perk included with hosting any app on Galaxy.

Or am I missing something… some small print legal disclaimer somewhere for example.

AWS Certificate Manager Pricing
SSL/TLS certificates provisioned through AWS Certificate Manager are free. You pay only for the AWS resources you create to run your application.

4 Likes

Hey! Thank you!
Native support of SSL would be awesome, :smile:

2 Likes

Either AWS or making letsEncrypt SSL a simple checkbox would be a VERY nice addition to Galaxy. And it isn’t a big project for galaxy to add one or the other… but would save your average joe a day of research and implementation.

5 Likes

Looks like automated LetsEncrypt is on the roadmap!

Announced here: MDG’s plans and priorities

3 Likes

I am trying to follow these steps. Issue i am facing is that .well_known directory is hidden and is ignored by meteor even when its in public folder. Did you face the same issue ?

Try putting another file in your public directory and navigating to that URL to make sure nothing else is going wrong.

Thanks for the list!

What do you mean by “dev box”, could this just be my local environment?

If I’m running this on mac osx where would I run the ‘git clone’ command? The ‘server’ directory within my project folder? Would there be a problem with installing it globally?

Thanks for your attention.

Yes, just your local environment (where you do you development :wink:).

You would do the git clone anywhere but in your project directory.

Not sure what installing it globally means in this context. Just try and see if it works.

Got it. When I tried executing the letsencrypt-auto script I got this message:

WARNING: Mac OS X support is very experimental at present…
if you would like to work on improving it, please ensure you have backups
and then run this script again with the --debug flag!

I’m not familiar enough with bash scripts and the risks they pose to feel confident proceeding after that message. What’s the worst that could happen (not a rhetorical question :slight_smile:)?

I realize this might be getting off topic, but any light you can shed on the situation is appreciated.

It may create a black hole. Known to happen.
/sarcasm

Running the --manual flag (which we do) is probably not what they are warning about. It’s the apache auto-config if anything, which we are not doing. So go ahead and do it.

There are a lot of steps here, but it’s all I’ve been able to find regarding setting up LetsEncrypt on Galaxy. I was wondering if someone could better explain these steps:

I assume we are putting some sort of file that certifies the Galaxy server with LetsEncrypt?

yes, adding a ‘response’ file for lets encrypt spider / browser to consume. Similar to google verification etc.

the file is generated by the lets encrypt and you view it on the CLI on your dev machine
they actually give u a bash script to write the file using printf “%s”

ALSO, these 6 commands can be easier (3)

so run sudo -i
cd /etc/letsencrypt/archive/sitename.com
cp ./* /some_other_directory
exit to get out of the sudo -i
cd to that directory
sudo chown -R username:username ./*

instead

cd meteor_app/settings (or other non version controlled folder)
sudo cp /etc/letsencrypt/live/sitename.com/privkey.pem .
sudo cp /etc/letsencrypt/live/sitename.com/fullchain.pem .

no need to change ownership

Any one knows how to renew letsencrypt certificate for galaxy? Have I to do all the steps as if it was created for the first time??

Thanks

I did all the steps again.

@energistic I do not know where I am failing.
where do I need to enter the sites url?

I somehow cannot get it right.
Sorry for being a noob :slight_smile:

I think you need to back up a step. When you run ./letsencrypt-auto --manual certonly it should ask you for the site name.

@marktrang It’s been a while (Feb 21) since LetsEncrypt support was put on the roadmap for Galaxy. Have you guys been able to make progress on it yet?

1 Like

ok, thanks, figured ouit yesterday, the script somehow could not install some of the dependencies (pip for example), now I am stuck with:
ImportError: Unable to import libaugeas!
I will probably need to do it on a linux machine (currently trying it on a mac).
Thanks for the help!