Setting up SSL with LetsEncrypt and MeteorUp

energistic · December 7, 2015, 10:51am

I went through using LetsEncrypt with my meteor-up installation. Here are the steps I used to do it:

login to your prod box ssh root@xx.xx.xx.xx
get the letsencrypt utility git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
compile letsencrypt with the next few commands
./bootstrap/install-deps.sh
./bootstrap/dev/venv.sh
source venv/bin/activate
stop your app from your local mup directory mup stop
run letsencrypt letsencrypt certonly --standalone
follow the letsencrypt prompts
cd /etc
package the output folder up tar -cvvf letsencrypt_2015_12_4.tar letsencrypt
copy the tar file back to your own box scp root@xx.xx.xx.xx:/etc/letsencrypt_2015_12_4.tar ~/letsencrypt_2015_12_4.tar
you want to backup this tar file for safe-keeping
combine your cert chain with your private key cat fullchain.pem privkey.pem > ssl.pm
copy ssl.pm to your mup folder cp ssl.pm YOUR_PROJECT/.prod/ssl.pm
add this line to your mup.json

"ssl": {
  "pem": "./ssl.pem"
},

leave unprotected connections behind - from your app directory meteor add force-ssl
from your mup folder run mup deploy
add to your .gitignore file YOUR_MUP_DIR/ssl.pem
celebrate!

arunoda · December 7, 2015, 11:06am

This is nice. I didn’t though it’s that easy.
We will add a feature to automate this soon

smeijer · December 7, 2015, 11:44am

This is awesome! Thanks!

@arunoda, don’t forget the cronjob to refresh the certificate at a specified interval (at least once every 3 months).

serkandurusoy · December 7, 2015, 12:37pm

Hmm, I have a question, how do you develop locally when you have the force-ssl package installed?

arunoda · December 7, 2015, 12:38pm

force-ssl is turned off locally.

serkandurusoy · December 7, 2015, 12:40pm

Thank you! That’s good to know.

madushan1000 · December 10, 2015, 7:57am

Hi, We did a little research on what’s really going under the hood in this process in the hope of adding seamless letsencrypt integration to next version of Meteor Up.
Read more about it on this Kadira Voice post

lucfranken · December 10, 2015, 8:44am

Interesting post!

It might be good to think about what kind of certificate you will need for production apps and which ones are just fine for testing. If you want a production app you might want to invest in for example organization validation. For testing the downtime of a short moment is not really a real issue likely.

elie · December 29, 2015, 10:21am

According to this post you don’t need to experience any down time: https://t.co/ZCZNoOdf0P

daveeel · December 29, 2015, 12:24pm

I have a question about local force-ssl though…

Yes, in browser I could use http://localhost:3000 , but when developing mobile stuff, I’d like to connect my iPhone from local WIFI, say http://192.168.1.102:3000 , with force-ssl, that would always redirect to https://localhost …

Is there a workaround?

lukemadera · January 9, 2016, 2:52am

Thanks so much @energistic !! For me there were 2 key additional steps / notes:

2 key missing steps:

set ROOT_URL to https
run mup setup (then mup deploy)

I found these here:

AndreasGalster · January 22, 2016, 12:54pm

If I am using mupx which uses .key and .crt files instead of a .pem, any suggestions how to get this working when the certificates spit out .pem files?

nata_goddanti · January 24, 2016, 12:52am

@AndreasGalster One thing you can try is to create two separate files with .key and .crt extension, and copy the certificate parts and key parts inside the .pem file in to these two files and use it in mupx.

AndreasGalster · January 24, 2016, 1:33am

I tried that but it broke my server. It uploaded the site but then when redirecting to the SSL site it didn’t work.

energistic · January 24, 2016, 11:52am

I think I used this before for the crt file:

openssl x509 -outform der -in your-cert.pem -out your-cert.crt
from http://stackoverflow.com/questions/13732826/convert-pem-to-crt-and-key

For the private key I can’t remember if I just renamed it or tried something from this stackoverflow question:

waldgeist · January 24, 2016, 11:58am

This would be awesome!

Especially because letsencrypt requires a downtime of the Meteor server to check if the domain is in your property, which it does on port 80. This is not a big issue on the first certificate creation, where you typically have your server in production yet. But if you’re extending your certificate afterwards (e.g. I did so to get an additional cert for my staging server), any downtime is not desirable. It would be perfect if mupx could keep that downtime at least as short as possible.

waldgeist · January 24, 2016, 12:00pm

You can use .pem with mupx, I did not have any problems with that. Just make sure you’re using the fullchain .pem as the cert, and the private key .pem as the key.

AndreasGalster · January 28, 2016, 6:56am

You are right! Both .pem and .crt/.key work.

The issue seems to be that a long time ago I first tried to set up with mup before doing it with mupx since mup wasn’t working. MUP created an opt/something folder, which is no longer used in mupx. mup has a known issue when deploying certificates with that folder available. The solution for me was to simply create a new app with a new appName, which creates a new docker container I guess. An alternative solution is to get rid of that specific opt folder, which I couldn’t find though, which is why I simply used a new appName in my mup.json file

Don’t forget to stop the old app before starting and deploying a new app.

mas212 · February 5, 2016, 4:35am

create file ssl.pm this suports and setting mup.json
//ssl
"ssl": {
“pem”: “./ssl.pm”
},

selaias · February 6, 2016, 8:34pm

I’m having problems having this to work with together with the meteorhacks:cluster package.
does anyone managed to get this working?

If using the browzer-policy package does one need to add extra exceptions?

thanks