This site is set up on IBM Cloud and built using Jekyll. When I took a casual look at securing this blog site with HTTPS, it looked like using ZeroSSL (as a free SSL certificate provider) should have been quite easy.
However, it took me quite a few hours to find all the little details that are required for everything to work nicely in my combination:
- An SSL certificate from ZeroSSL
- To secure a blog built with Jekyll
- Deployed to IBM Cloud
- Using the Staticfile Buildpack
Each piece adds a unique step that is required to be completed and I’ve jotted down the steps to be able to remember them, and also to help anyone else who might want to go down the same path.
The Story so far…
I have slowly been covering my journey to Jekyll with Bluemix/ IBM Cloud on this blog, and here is what we have so far (all in one place):
- The beginning: Jekyll on Bluemix for new users – the very first post on everything that is needed to upload your first blog item using Jekyll to Bluemix/ IBM Cloud
- Adding a custom domain to your site on IBM Cloud – moving away from the domain name provided by IBM Cloud to your own
- Adding Google Analytics to your site
- Using AddThis to allow users to share content from your site
- Doing zero downtime updates to your site on IBM Cloud
- Updating the buildpack that your site uses
So, with this, and the constant reminder that having SSL on your site is useful (especially if you care about Google SEO), the next logical step is to add SSL to your site so that you now have an HTTPS site! So, let’s get that done.
Step-by-Step SSL for our Combination
These are the steps:
- Sign up at ZeroSSL to get a certificate: go to the ZeroSSL website and go through the process. If this is the only domain you are securing and you don’t mind updating certifciates manually every 90 days, the free plan will work just fine. You can leave in the defaults as they have it since those are all sensible defaults.
- Once you complete the process of entering all the details, you will need to prove that you own the domain and there are 3 ways to do it (get an email, set a DNS CNAME record or upload a file). While you can choose whichever method you want, I will touch on the third method since it requires you to know a bit more about Jekyll and the Staticfile buildpack.
- Showing domain ownership using a file you upload to the site – if you choose this method, you will need to download a file from ZeroSSL and put it on your site at a fixed URL. Since we’re using Jekyll, we’ll need to upload this using Jekyll.
- The first problem is that the file needs to be in the directory
/.well-known/pki-validation/– since this starts with a dot, you can’t just put it into your Jekyll build folder and expect it to work. Follow the instructions for uploading directories that start with a dot so that you can upload the file to the correct directory - The second thing you need to do is to follow the instructions on the linked page to get the Staticfile Buildpack to actually serve a directory that has a name starting with a dot
- Once this is done, you should be able to verify the domain
- The first problem is that the file needs to be in the directory
- Once all this is done, you will have created the certificate. You will now be able to download a zip file with the certificates in them. Get this onto your computer and let’s go on to the next step of making it work with IBM Cloud.
- Assuming your custom domain is configured and the routes to your application are set up, go to IBM Cloud and upload the certificate from Manage Domains. While uploading, follow this to decide what to upload for each of the fields:
- Private key – the file named
private.keywith no password - Certificate – the file named
certificate.crt - Intermediate Certificates – the file named
ca_bundle.crt
- Private key – the file named
- Now that this is done, you would expect that it would all work – but it may not. This depends on how you set up the CNAME or A record for your DNS to point to Bluemix.
- When searching, I found confliting pieces of advice:
- One article said that a CNAME won’t work – you need to set it to an A record. I searched and found that we need to point it to IP addresses for the load balancer in that region. I tried that but it did not work.
- What did work was to set up a CNAME record to point to hostname of the region where the app is deployed. There is a list on https://www.tonyerwin.com/2014/09/bluemix-ui-ssl-certificates-and-custom.html but this really should be listed somewhere prominently on the Bluemix site (and not found from blogs)… in any case, here are a few of the load balancers:
- US South: secure.us-south.bluemix.net
- London: secure.eu-gb.bluemix.net
- Sydney: secure.au-syd.bluemix.net
- Finally, update the site URL in
_config.ymlto start with HTTPS – for example, mine reads asurl: 'https://notepad.onghu.com'so that all references to the site URL use HTTPS
Finally, rebuild your site and do a push to the server. With all this in place, it should finally properly work.
One final reminder: as you know, the certificate is for 90 days – remember to update!!