Mup and SSL configuration

I use Meteor-up for my deployments to a EC2 instance. This works great.

I’m now trying to add SSL support. I followed the instructions here, but was not able to get SSL working.

I did the following:

1. Created the private key file
2. Locally created the csr file from the key file using *.yourdomain.com for a wildcard certificate.
3. Bought a Wildcard certificate from RapidSSL using the cert in #2.
4. Downloaded the domain cert and CA files for nginx.
5. Concatenated the files in this order: cat yourdomain_com.crt bundled_ca_certs.crt private_key.key > ssl.pem
6. Added the ssl.pem file to the mup directory
7. Add the ssl configuration to the mup.json file:
   “ssl”: {
   “pem”: “./ssl.pem”
   }
8. Did a mup setup
9. I also added a inbound rule to my EC2 security group for HTTPS on port 443.

The setup passed, but the SSL setup didn’t work.

I went to http://yourdomain.com and it works. I went to https://yourdomain.com and it just times out.

What could I be doing wrong?

Notes:
I have a CNAME for yourdomain.com (not www.yourdomain.com) pointed to the EC2 instance.
I don’t need a nginx server from what I’ve read.

Do you have the ‘force-ssl’ package installed? If so try removing that and see if that works. If that’s the case you can force SSL through the HAProxy config (or nginx config). Also does your mup config use https as the root_url?

"env": {
   ...
    "ROOT_URL": "https://myapp.com",
   ...
  },

I finally got this working. There were several things wrong with my setup (I’m using RapidSSL and EC2, so things may be different with other providers):

You will get a Web Server Certificate from RapidSSL once you get your SSL. I named mine ssl.crt.

You will also be directed to use RapidSSL Intermediate CAs. I downloaded them as separate files named primary.crt and secondary.crt respectively.

When building the ssl.pem used by mup, you need to concatinate all the files you get from RapidSSL plus the privatekey.key file you generated with the openssl command.

1. When you generated your privatekey.key file, most likely you encrypted it (that’s what is recommended). But when building your ssl.pem file you should use a decrypted version. Decrypt the privatekey.key file with this command:

openssl rsa –in privatekey.key -out decrypted_privatekey.key

2. concatenate the files in the right order:

cat ssl.crt secondary.crt primary.crt decrypted_privatekey.key > ssl.pem

3. When you concatenate the cert files into the ssl.pem file the END CERTIFICATE and BEGIN CERTIFICATE for each cert file will be right next to one another like so:

-----END CERTIFICATE----------BEGIN CERTIFICATE-----

Separate these manually like so (make sure begin and end have 5 dashes on both sides):

-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----

4. Make sure you have HTTPS port 443 opened on inbound traffic (I use EC2).

5. Make sure your mup environmental path has is set to https like so:

   “env”: {
   “ROOT_URL”: “https://my_domain.com”
   },

6. Make sure the ssl.pem file is in the root directory of your mup project.

7. Make sure you have the latest version of mup installed (globally).

npm update -g mup

And when you do a ‘mup setup’ you see the something like following related to Stud Installation and SSL Configuration:

[your_domain.com] - Installing Node.js
[your_domain.com] ✔ Installing Node.js: SUCCESS
[your_domain.com] - Setting up Environment
[your_domain.com] ✔ Setting up Environment: SUCCESS
[your_domain.com] - Copying MongoDB configuration
[your_domain.com] ✔ Copying MongoDB configuration: SUCCESS
[your_domain.com] - Installing MongoDB
[your_domain.com] ✔ Installing MongoDB: SUCCESS
[your_domain.com] - Installing Stud
[your_domain.com] ✔ Installing Stud: SUCCESS
[your_domain.com] - Configuring Stud for Upstart
[your_domain.com] ✔ Configuring Stud for Upstart: SUCCESS
[your_domain.com] - Configuring SSL
[your_domain.com] ✔ Configuring SSL: SUCCESS
[your_domain.com] - Configuring Stud
[your_domain.com] ✔ Configuring Stud: SUCCESS
[your_domain.com] - Verifying SSL Configurations (ssl.pem)
[your_domain.com] ✔ Verifying SSL Configurations (ssl.pem): SUCCESS
[your_domain.com] - Strating Stud
[your_domain.com] ✔ Strating Stud: SUCCESS
[your_domain.com] - Configuring upstart
[your_domain.com] ✔ Configuring upstart: SUCCESS

Thanks for the update @aadams ! I’m about to do the same with DigitalOcean (prev I’ve just used modulus) so this will be handy.

@aadams you’re write-up was awesome. Worked great for me. Thanks for working through this. I have a question, I followed your same setup and have everything working on https but http is still open. I was reading some articles that were saying using the force-ssl Meteor package was bad with mup and nginx. What method are you using to force/redirect https connections only? Do you modify the nginx config file? Where does that live exactly? Using Ubuntu 14 with mup.

EDIT: I was wrongly assuming MUP used nginx under the hood. It looks like it doesn’t. I think I can use the force-ssl package and it will work, but is there another way to force SSL in Ubuntu with the way MUP sets things up without adding that package to my code?

EDIT2: I disabled Stud and installed nginx as a reverse proxy with MUP. nginx used my above concatenated *.pem and the domain *.key that I originally downloaded. Works great and forwards http to https.

How do you configure SSL with mup when using the meteorhacks:cluster package? I have two droplets on DO, both of them are set as balancers, with the CLUSTER_BALANCER_URL property set to http://each.droplet.ip.address on both servers. After adding the ssl property to the mup config file, and if I change CLUSTER_BALANCER_URL to https://each.droplet.ip.address, the websocket connection won’t be initiated, since my certificate doesn’t cover the two IP addressed of my droplets.

Is there a way to enable HTTPS only for certain routers ? Like /login / register /password-reset ?

I have a data widget and the websites using it does not have SSL. so the app just breaks… Any thoughts guys ?