If you are writing a web application for all but the most trivial use cases, you will probably require SSL (i.e. HTTPS) to encrypt traffic between the user’s browser and your app’s server. Here are some important reasons why:
- you want to prevent user credentials or other sensitive data from being eavesdropped by a third party
- you want your users to see that their browser is indeed talking to a legitimate server of your app
- you want your app’s site to be ranked higher with search engines
Securing your app: the old way
Until now, if you wanted to secure your app running in the Swisscom Application Cloud you had the following options:
- Run your app on one of the shared domains (e.g.
scapp.io). The Swisscom Application Cloud supports SSL on its shared domains. However, this is not an option for commercially marketed apps, since you usually want these to run on a domain of your own choice.
- Follow Pivotal’s recommendation and use a CloudFlare proxy which supports SSL and forwards traffic to your app running in the Swisscom Application Cloud. This, however, means that you have two separate places in which to administer your app. Furthermore, it is your own responsibility to create a certificate and renew it in due time.
Automated SSL certificate management in the Swisscom Application Cloud
As of the latest release of the Swisscom Application Cloud we are offering a solution which renders the above workarounds obsolete. By integrating our cloud with Let’s Encrypt, we now enable you to create, install, uninstall and revoke SSL certificates for your apps with just a few clicks, within seconds and without ever leaving the Developer Console. We then also take care of automatically renewing your certificates shortly before they expire. Here’s the best part about this new feature though: Managing SSL certificates in this way comes at no extra cost!
Let’s take a closer look at how you can secure your app using this new feature and also at what goes on behind the scenes when you do so. Let’s assume you want to secure the UI web app for your product grmblr currently running on the route
grmblr-ui.scapp.io in the Swisscom Application Cloud.
Prepare your domain and route
You start off with the domain you have registered for your app, say
grmblr.ch. As a first step, you create a CNAME record in the zone file of the nameserver responsible for this domain. The CNAME record defines a new subdomain for your UI web app and points to the app running in the Swisscom Application Cloud. Here’s what it would look like in bind format:
ui IN CNAME grmblr-ui.scapp.io.
This tells the nameserver that the subdomain
ui.grmblr.ch is an alias for the route already running. Furthermore, this step links your subdomain to the Swisscom Application Cloud and proves to us that the subdomain is intended to be handled by us. As a next step, if you have not done so already, you would also set up the domain
grmblr.ch and the route
ui.grmblr.ch in the Developer Console.
Create a certificate for your app’s route
In order to secure your route
ui.grmblr.ch with an SSL certificate, all you have to do is click on the lock button displayed when you select that particular route.
This will open the certificate creation window with your route preselected.
To create a certificate and install it on your route, just hit the “Create” button and you’re done! After a few seconds you will see a green lock icon appearing next to your route, indicating that the certificate has been created and installed.
When you click on the link to the app in the app’s detail view, you will notice that you are now connecting to your app via HTTPS with a valid certificate.
Let’s look at what happens behind the scenes to make this possible. When you click on the “Create” button the following things happen:
- We perform a lookup in DNS to check if there is a record pointing to a Swisscom Application Cloud shared domain. This confirms to us, that the domain in question is to be managed by us.
- We order an SSL certificate at Let’s Encrypt for your route on your behalf.
- Let’s Encrypt challenges us to prove that we are indeed controlling the domain in question. It does this by ordering us to sign a nonce and create an HTTP resource on said domain. Let’s Encrypt will then perform a GET request on this resource to retrieve and check the signed nonce.
- We complete the challenge, obtain a certificate for your route from Let’s Encrypt and store it.
- We install your certificate on our entry server which terminates SSL and balances one or more app instances per route.
Installing / uninstalling certificates
In order to switch SSL on and off on a route, in the Developer Console we also offer the possibility to install and uninstall certificates. To do this, just select a particular certificate and click on the power button. This toggles the certificate between an installed and an uninstalled state.
When you uninstall a certificate, we remove it from the entry server but keep it for later reinstallation. Incidentally, uninstalling a certificate should not be confused with revocation, which which we also offer.
Shortly before your certificate’s expiration date is reached, we automatically trigger a renewal with Let’s Encrypt. This will renew your certificate without requiring any interaction on your part.
In case you ever run into reasons to revoke an SSL certificate, we also support this in an automated way. Just select the certificate which you want to revoke and click on the trash can button. After a short while you will see your certificate listed as “Revoked” in the routes sidebar
Behind the scenes we make a signed request to Let’s Encrypt to revoke the certificate. Let’s Encrypt in turn checks the signature to make sure that we are authorized to revoke the certificate and then publishes the revocation information to the usual revocation channels where browsers will find it and hence no longer trust the certificate.
Swisscom Application Cloud is proud to be one of the first cloud providers to be able to offer fully automated lifecycle management of SSL certificates and to give you a streamlined experience when securing your apps. Finally, it’s time to get rid of your old workarounds and let us handle SSL certificates for you. Give it a try and be sure to let us know what you think of this new feature, by commenting on this blog post or by joining us at one of our regular meetups (see https://developer.swisscom.com/events and http://www.meetup.com/de-DE/CloudFoundry-User-Group-DACH/)!