Setting up SSL with LetsEncrypt and MeteorUp


#1

I went through using LetsEncrypt with my meteor-up installation. Here are the steps I used to do it:

  • login to your prod box ssh root@xx.xx.xx.xx
  • get the letsencrypt utility git clone https://github.com/letsencrypt/letsencrypt
  • cd letsencrypt
  • compile letsencrypt with the next few commands
  • ./bootstrap/install-deps.sh
  • ./bootstrap/dev/venv.sh
  • source venv/bin/activate
  • stop your app from your local mup directory mup stop
  • run letsencrypt letsencrypt certonly --standalone
  • follow the letsencrypt prompts
  • cd /etc
  • package the output folder up tar -cvvf letsencrypt_2015_12_4.tar letsencrypt
  • copy the tar file back to your own box scp root@xx.xx.xx.xx:/etc/letsencrypt_2015_12_4.tar ~/letsencrypt_2015_12_4.tar
  • you want to backup this tar file for safe-keeping
  • combine your cert chain with your private key cat fullchain.pem privkey.pem > ssl.pm
  • copy ssl.pm to your mup folder cp ssl.pm YOUR_PROJECT/.prod/ssl.pm
  • add this line to your mup.json
"ssl": {
  "pem": "./ssl.pem"
},
  • leave unprotected connections behind - from your app directory meteor add force-ssl
  • from your mup folder run mup deploy
  • add to your .gitignore file YOUR_MUP_DIR/ssl.pem
  • celebrate!

No more paying for SSL certificates!
No more paying for SSL certificates!
Cannot get HTTPS to work on my site
#2

This is nice. I didn’t though it’s that easy.
We will add a feature to automate this soon :slight_smile:


#3

This is awesome! Thanks!

@arunoda, don’t forget the cronjob to refresh the certificate at a specified interval (at least once every 3 months).


#4

Hmm, I have a question, how do you develop locally when you have the force-ssl package installed?


#5

force-ssl is turned off locally.


#6

Thank you! That’s good to know.


#7

Hi, We did a little research on what’s really going under the hood in this process in the hope of adding seamless letsencrypt integration to next version of Meteor Up.
Read more about it on this Kadira Voice post


#8

Interesting post!

It might be good to think about what kind of certificate you will need for production apps and which ones are just fine for testing. If you want a production app you might want to invest in for example organization validation. For testing the downtime of a short moment is not really a real issue likely.


#9

According to this post you don’t need to experience any down time: https://t.co/ZCZNoOdf0P


#10

I have a question about local force-ssl though…

Yes, in browser I could use http://localhost:3000 , but when developing mobile stuff, I’d like to connect my iPhone from local WIFI, say http://192.168.1.102:3000 , with force-ssl, that would always redirect to https://localhost

Is there a workaround?


#11

Thanks so much @energistic !! For me there were 2 key additional steps / notes:

2 key missing steps:

  1. set ROOT_URL to https
  2. run mup setup (then mup deploy)

I found these here:


#12

If I am using mupx which uses .key and .crt files instead of a .pem, any suggestions how to get this working when the certificates spit out .pem files?


#13

@AndreasGalster One thing you can try is to create two separate files with .key and .crt extension, and copy the certificate parts and key parts inside the .pem file in to these two files and use it in mupx.


#14

I tried that but it broke my server. It uploaded the site but then when redirecting to the SSL site it didn’t work.


#15

I think I used this before for the crt file:

openssl x509 -outform der -in your-cert.pem -out your-cert.crt
from http://stackoverflow.com/questions/13732826/convert-pem-to-crt-and-key

For the private key I can’t remember if I just renamed it or tried something from this stackoverflow question:


#16

This would be awesome!

Especially because letsencrypt requires a downtime of the Meteor server to check if the domain is in your property, which it does on port 80. This is not a big issue on the first certificate creation, where you typically have your server in production yet. But if you’re extending your certificate afterwards (e.g. I did so to get an additional cert for my staging server), any downtime is not desirable. It would be perfect if mupx could keep that downtime at least as short as possible.


#17

You can use .pem with mupx, I did not have any problems with that. Just make sure you’re using the fullchain .pem as the cert, and the private key .pem as the key.


#18

You are right! Both .pem and .crt/.key work.

The issue seems to be that a long time ago I first tried to set up with mup before doing it with mupx since mup wasn’t working. MUP created an opt/something folder, which is no longer used in mupx. mup has a known issue when deploying certificates with that folder available. The solution for me was to simply create a new app with a new appName, which creates a new docker container I guess. An alternative solution is to get rid of that specific opt folder, which I couldn’t find though, which is why I simply used a new appName in my mup.json file

Don’t forget to stop the old app before starting and deploying a new app.


#21

create file ssl.pm this suports :slight_smile: and setting mup.json
//ssl
"ssl": {
“pem”: “./ssl.pm”
},


#22

I’m having problems having this to work with together with the meteorhacks:cluster package.
does anyone managed to get this working?

If using the browzer-policy package does one need to add extra exceptions?

thanks