Guide: Setting up LetsEncrypt SSL on Galaxy

energistic · February 2, 2016, 10:59am

Challenges

there isn’t an API (that I know of) to add ssl credentials to galaxy
needs to run as sudo
shell scripting sucks haha
script needs to deploy your app which can have a lot of options
Galaxy is a closed-source service which generates revenue, so MDG has a business incentive to implement it - so ask them for this feature

rahul · February 2, 2016, 3:32pm

Just build it for all Meteor apps! I’m sure MDG will get around to implementing something like this eventually but no reason to wait for or depend on them.

drollins · February 15, 2016, 11:22am

This is an interesting conversation but I have question for the Galaxy team:

Galaxy is hosted on AWS right? And according to AWS certs are free via their certificate manager for apps running on their platform… so how come SSL is not just part of the Galaxy offering?

If I am understanding this correctly it should be a no-brainer free perk included with hosting any app on Galaxy.

Or am I missing something… some small print legal disclaimer somewhere for example.

AWS Certificate Manager Pricing
SSL/TLS certificates provisioned through AWS Certificate Manager are free. You pay only for the AWS resources you create to run your application.

violeta · February 18, 2016, 3:18pm

Hey! Thank you!
Native support of SSL would be awesome,

ericmann · February 18, 2016, 4:20pm

Either AWS or making letsEncrypt SSL a simple checkbox would be a VERY nice addition to Galaxy. And it isn’t a big project for galaxy to add one or the other… but would save your average joe a day of research and implementation.

energistic · February 22, 2016, 3:22am

Looks like automated LetsEncrypt is on the roadmap!

Announced here: MDG’s plans and priorities

itnryapp · March 22, 2016, 8:16am

I am trying to follow these steps. Issue i am facing is that .well_known directory is hidden and is ignored by meteor even when its in public folder. Did you face the same issue ?

energistic · March 23, 2016, 12:44am

Try putting another file in your public directory and navigating to that URL to make sure nothing else is going wrong.

adbierach · March 23, 2016, 11:15pm

Thanks for the list!

What do you mean by “dev box”, could this just be my local environment?

If I’m running this on mac osx where would I run the ‘git clone’ command? The ‘server’ directory within my project folder? Would there be a problem with installing it globally?

Thanks for your attention.

energistic · March 24, 2016, 3:09am

Yes, just your local environment (where you do you development ).

You would do the git clone anywhere but in your project directory.

Not sure what installing it globally means in this context. Just try and see if it works.

adbierach · March 24, 2016, 4:20pm

Got it. When I tried executing the letsencrypt-auto script I got this message:

WARNING: Mac OS X support is very experimental at present…
if you would like to work on improving it, please ensure you have backups
and then run this script again with the --debug flag!

I’m not familiar enough with bash scripts and the risks they pose to feel confident proceeding after that message. What’s the worst that could happen (not a rhetorical question )?

I realize this might be getting off topic, but any light you can shed on the situation is appreciated.

energistic · March 25, 2016, 2:12am

It may create a black hole. Known to happen.
/sarcasm

Running the --manual flag (which we do) is probably not what they are warning about. It’s the apache auto-config if anything, which we are not doing. So go ahead and do it.

bsbechtel · April 11, 2016, 7:25pm

There are a lot of steps here, but it’s all I’ve been able to find regarding setting up LetsEncrypt on Galaxy. I was wondering if someone could better explain these steps:

Add a file to your meteor_dir/public/.well-known/acme-challenge/SOME_LONG_WEIRD_STRING_FROM_THE_OTHER_TERMINAL and add in the contents that they tell you to
deploy to Galaxy
make sure that xxx.mysitename.com/.well-known/acme-challenge/SOME_LONG_WEIRD_STRING_FROM_THE_OTHER_TERMINAL downloads that file.
press enter on the letsencrypt terminal

I assume we are putting some sort of file that certifies the Galaxy server with LetsEncrypt?

chroma · April 13, 2016, 8:57pm

yes, adding a ‘response’ file for lets encrypt spider / browser to consume. Similar to google verification etc.

the file is generated by the lets encrypt and you view it on the CLI on your dev machine
they actually give u a bash script to write the file using printf “%s”

ALSO, these 6 commands can be easier (3)

so run sudo -i
cd /etc/letsencrypt/archive/sitename.com
cp ./* /some_other_directory
exit to get out of the sudo -i
cd to that directory
sudo chown -R username:username ./*

instead

cd meteor_app/settings (or other non version controlled folder)
sudo cp /etc/letsencrypt/live/sitename.com/privkey.pem .
sudo cp /etc/letsencrypt/live/sitename.com/fullchain.pem .

no need to change ownership

ixdi · April 29, 2016, 9:41am

Any one knows how to renew letsencrypt certificate for galaxy? Have I to do all the steps as if it was created for the first time??

Thanks

energistic · April 29, 2016, 2:50pm

I did all the steps again.

geritol · April 29, 2016, 3:57pm

@energistic I do not know where I am failing.
where do I need to enter the sites url?

I somehow cannot get it right.
Sorry for being a noob

energistic · April 29, 2016, 4:04pm

I think you need to back up a step. When you run ./letsencrypt-auto --manual certonly it should ask you for the site name.

energistic · April 29, 2016, 4:09pm

@marktrang It’s been a while (Feb 21) since LetsEncrypt support was put on the roadmap for Galaxy. Have you guys been able to make progress on it yet?

geritol · April 30, 2016, 7:27am

ok, thanks, figured ouit yesterday, the script somehow could not install some of the dependencies (pip for example), now I am stuck with:
ImportError: Unable to import libaugeas!
I will probably need to do it on a linux machine (currently trying it on a mac).
Thanks for the help!