Journey to Jekyll: Part 6 - SSL with ZeroSSL on IBM Cloud/ Bluemix

This site is set up on IBM Cloud and built using Jekyll. When I took a casual look at securing this blog site with HTTPS, it looked like using ZeroSSL (as a free SSL certificate provider) should have been quite easy.

However, it took me quite a few hours to find all the little details that are required for everything to work nicely in my combination:

Each piece adds a unique step that is required to be completed and I’ve jotted down the steps to be able to remember them, and also to help anyone else who might want to go down the same path.

The Story so far…

I have slowly been covering my journey to Jekyll with Bluemix/ IBM Cloud on this blog, and here is what we have so far (all in one place):

So, with this, and the constant reminder that having SSL on your site is useful (especially if you care about Google SEO), the next logical step is to add SSL to your site so that you now have an HTTPS site! So, let’s get that done.

Step-by-Step SSL for our Combination

These are the steps:

  1. Sign up at ZeroSSL to get a certificate: go to the ZeroSSL website and go through the process. If this is the only domain you are securing and you don’t mind updating certifciates manually every 90 days, the free plan will work just fine. You can leave in the defaults as they have it since those are all sensible defaults.
  2. Once you complete the process of entering all the details, you will need to prove that you own the domain and there are 3 ways to do it (get an email, set a DNS CNAME record or upload a file). While you can choose whichever method you want, I will touch on the third method since it requires you to know a bit more about Jekyll and the Staticfile buildpack.
  3. Showing domain ownership using a file you upload to the site – if you choose this method, you will need to download a file from ZeroSSL and put it on your site at a fixed URL. Since we’re using Jekyll, we’ll need to upload this using Jekyll.
  4. Once all this is done, you will have created the certificate. You will now be able to download a zip file with the certificates in them. Get this onto your computer and let’s go on to the next step of making it work with IBM Cloud.
  5. Assuming your custom domain is configured and the routes to your application are set up, go to IBM Cloud and upload the certificate from Manage Domains. While uploading, follow this to decide what to upload for each of the fields:
    • Private key – the file named private.key with no password
    • Certificate – the file named certificate.crt
    • Intermediate Certificates – the file named ca_bundle.crt
  6. Now that this is done, you would expect that it would all work – but it may not. This depends on how you set up the CNAME or A record for your DNS to point to Bluemix.
  7. When searching, I found confliting pieces of advice:
    • One article said that a CNAME won’t work – you need to set it to an A record. I searched and found that we need to point it to IP addresses for the load balancer in that region. I tried that but it did not work.
    • What did work was to set up a CNAME record to point to hostname of the region where the app is deployed. There is a list on but this really should be listed somewhere prominently on the Bluemix site (and not found from blogs)… in any case, here are a few of the load balancers:
      • US South:
      • London:
      • Sydney:
  8. Finally, update the site URL in _config.yml to start with HTTPS – for example, mine reads as url: '' so that all references to the site URL use HTTPS

Finally, rebuild your site and do a push to the server. With all this in place, it should finally properly work.

One final reminder: as you know, the certificate is for 90 days – remember to update!!

comments powered by Disqus