Application SSL
The new CloudBees SSL feature allows you to setup dedicated SSL routers on your CloudBees account that can be used to route requests to your applications using your own SSL certificates. This feature is a little complex to setup initially, but once it is setup, it is very easy to associate your applications with your SSL certificate.
To create a dedicated application SSL router, you will need to use the CloudBees SDK. You will also need to have a your own Domain Name and SSL certificates.
Test the SSL certificate
Before creating a router, you can test if your certificate is valid by running the following SDK command (v1.1 or greater):
Create a dedicated SSL router
Example: Create a router resource named acme-ssl by running the following SDK command:
bees app:router:create -a ACCOUNT/APPLICATION -bind false -cert SSL_CERT_FILE -pk SSL_PRIVATE_KEY acme-ssl
This will launch a dedicated SSL router that can be used by applications on your account. After executing this command, you will see a response similar to the following:
Resource: acme/acme-ssl
config:
SSL=true
ROUTER_SERVICE=acme-8f72e7e4.revproxy
ROUTER_URL=https://50.16.192.123
To begin sending application requests to this router, you will need to configure your DNS records to point the hostname associated with the SSL certificate to your router's IP address, and then configure a hostname alias (or aliases) for your application that use this hostname. Finally, you will need to bind your application to the SSL router.
Updating a dedicated SSL router
Example: Update an existing router named acme-sll with a new certificate by running the following SDK command (v1.1 or greater):
bees app:router:update acme-ssl -cert SSL_CERT_FILE -pk SSL_PRIVATE_KEY
This will restart the existing dedicated SSL router with the new certificate.
Obtaining an SSL Certificate
To enable SSL for your application, you need to provide an SSL certificate. Certificates can be obtained from numerous companies including Verisign, GoDaddy and Digicert.
Which webserver type do I need a certificate for?
The CloudBees HTTP/HTTPS routers are based on Nginx, so if your certificate vendor offers you several webservers, choose Nginx.
If possible, go for a "wildcard" certificate
Since your router will typically need to provide SSL for apps, each with a unique hostname, you'll probably want to consider getting a Wildcard SSL certificate. Wildcard certificates provide you with a pattern of hostnames that are valid for the certificate (example: *.acme.com), so you can associate apps
Certificate chains and intermediate certs
You can only provide one certificate file when uploading. Some SSL providers provide a chain of certificates between the root certificate (their cert) and your certificate - (that you just bought) - in this case you can concatenate the certificate chain together with your certificate file (with your certificate last), as text, and upload that file.
Example: creating valid certs for GoDaddy
Godaddy does not provide an Nginx option, but you can select Apache and then convert it into a valid Nginx certificate. GoDaddy provides you with the gd_bundle.crt as well as yourhost.com.crt. To convert this into a valid NGinx certificate, you'll need to combine them by appending the gd_bundle.crt to the yourhost.com.crt.
After your cert is created, you can upload it using the bees app:router:create command described above.
Obtaining a Certificate Signing Request (CSR)
If your certificate provider asks you for a CSR, you can use OpenSSL to create one. Please see this handy form at DigiCert that helps you through this process.
Configuring a custom application domain
Step 1 - Create a DNS address name record
To use your domain with your router, you'll need to update your domain's DNS record to point to your router's IP address using an "A" record. The tools for doing this will vary based on the DNS provider you use to manage your domain, but most providers should have some kind of web interface for creating a new A record. For example, let's assume I own the domain www.example.com, and I want to use this custom domain for my application that currently uses the default domain myapp.demouser.cloudbees.net. I would need to goto my DNS provider's web interface and add a new A record for www.example.com and set its value to the router's IP address (ex: 50.16.192.123)
After updating your DNS record, you will need to wait for the DNS entry to propagate, which can take up to a day, but usually not more than an hour. After your DNS record has propogated, doing an nslookup command for www.example.com should then return the router's IP address.
Step 2 - Update your application configuration
Once your custom domain is setup to forward to the router's IP address, you need to reconfigure your application to use www.example.com as a custom domain name, and you need to bind the new router to your app.
- Login to the appconsole
- Select your application
- Open the configuration tab
- Add your custom domain name to the domain name aliases text box
- Select your router in the SSL configuration (your app must be using a paid app container to see this option)
- Click the save button
After your application is redeployed, all requests to www.example.com will be forwarded to your CloudBees application via your dedicated router.
Application SSL Pricing
Charges for using SSL are added to the hourly cost of your application. Please see the CloudBees pricing page for more information.
Deleting a router
To delete a router resource, use:
usage: bees app:resource:delete [options] RESOURCE_NAME
-a,--account <arg> Account Name
-f,--force force delete without prompting
Example: Delete the router named acme-ssl
bees app:resource:delete acme-ssl