January 14, 2019

Let's Encrypt with Pivotal Cloud Foundry

Any operator reading this has come to one clear conclusion: SSL certificates suck. Let’s have a list of things that no one likes about SSL certs:

  • Cost
  • Hostname changes
  • Picking an encryption suite
  • Validation scopes
  • Generally Trusted Root?

Of the list, personally, I believe the first item is the worst: cost. SSL certificates are expensive. Sometimes rightfully so, other times needlessly so. I mean, it’s a file, right? In the spirit of cost, let’s talk about Let’s Encrypt. From their site:

Let’s Encrypt is a free, automated, and open Certificate Authority.

With that, let’s walk through a basic tutorial of how to leverage Let’s Encrypt with PCF so you can avoid some of the common pitfalls.

Generating Certificates

To begin, you’ll need Certbot. How you get Certbot is up to you and based off your operating system, and I’ll leave that out due to a variety of installation guides. For me, I just use certbot-auto in the core Certbot repository. In order to use Let’s Encrypt, you need publicly accessible DNS zone that Certbot can query. You’ll also need to be able to create TXT records in said zone. To generate the certificates with certbot-auto (which is the same as the core certbottool) for PCF, here’s the command you want:

certbot-auto --server https://acme-v02.api.letsencrypt.org/directory \
-d example.com \
-d *.example.com \
-d *.apps.example.com \
-d *.sys.example.com \
-d *.login.sys.example.com \
-d *.uaa.sys.example.com \
--manual --preferred-challenges dns-01 certonly

And that’s it! You’ll have certificates that work with the cf CLI, UAA, Spring Cloud Services, and all the apps you can push.


Walkthrough

If you want to understand the whole workflow, here’s how I leverage Let’s Encrypt.

  1. git clone https://github.com/certbot/certbot /opt/letsencrypt
  2. ./letsencrypt-auto --server https://acme-v02.api.letsencrypt.org/directory -d r3t.io {-d ...}. This will create a new virtual environment and prompt to create a TXT record with a hash. The TXT format is _acme-challenge.<domain>.<root>, so for me it was _acme-challenge.r3t.io. Don’t hit enter and copy the hash it gives you.
  3. Log into the root DNS Zone, mine is hosted with Azure.
  4. Create a new TXT record, and set the TTL to 60 second. This isn’t a requirement, but humans make typos, a 60 second TTL is much more forgiving if you have a typo. Don’t forget to paste the hash from the prompt.
  5. Once the TXT record has been created, in a separate console window, test the record with dig -t txt _acme-challenge.<domain>.<root> or nslookup.exe -q=TXT _acme-challenge.<domain>.<root>.
  6. Once the record resolves, go back to the console where you have the prompt waiting.
  7. Hit enter.
  8. Assuming it validates properly, you should be in the all-clear, and it will tell you where to find your certificates on your local hard drive.

If you want to see the certificate in the open, you can leverage crt.sh by Rob Stradling at Sectigo (formerly Comodo). If you want to see mine, you can see them here.

Notes

  • All certificates generated by Let’s Encrypt are public, so do be careful with hostnames you use.
  • When you put the certificate into the PAS tile, make sure you use the fullchain.pem file, not chain.pem. I'm not entirely sure why, there's some internal client that needs it.