docs(reference): SSL support for custom domains

Author: Matthew Fisher

docs/managing_deis/configure-load-balancers.rst

@@ -19,7 +19,7 @@ These ports need to be open on the load balancers:
 * 80 (for application traffic and for API calls to the controller)
 * 2222 (for traffic to the builder)
 
-If you want to configure SSL termination on your load balancer, see :ref:`ssl-endpoints`.
+If you want to configure SSL termination on your load balancer, see :ref:`platform_ssl`.
 
 A health check should be configured on the load balancer to send an HTTP request to /health-check at
 port 80 on all nodes in the Deis cluster. The health check endpoint returns an HTTP 200. This enables

docs/managing_deis/production_deployments.rst

@@ -55,4 +55,4 @@ Enable TLS
 ----------
 
 Using TLS to encrypt traffic (including Deis client traffic, such as login credentials) is crucial.
-See :ref:`ssl-endpoints`.
+See :ref:`platform_ssl`.

docs/managing_deis/ssl-endpoints.rst

@@ -2,73 +2,41 @@
 :description: Configure SSL termination for your Deis cluster
 
 
-.. _ssl-endpoints:
+.. _platform_ssl:
 
-SSL/TLS Endpoints
-=================
+Installing SSL for the Platform
+===============================
 
 SSL/TLS is the standard security technology for establishing an encrypted link
 between a web server and a browser. This link ensures that all data passed between the web server
 and browsers remain private and integral.
 
 To enable SSL for your cluster and all apps running upon it, you can add an SSL key to your load
-balancer. You must either provide an SSL certificate that was registered with a CA or provide your
-own self-signed SSL certificate.
+balancer. You must either provide an SSL certificate that was registered with a CA or provide
+:ref:`your own self-signed SSL certificate <creating_self_signed_ssl>`.
 
 
-Generating an SSL Certificate
------------------------------
+.. _load_balancer_ssl:
 
-To generate your own self-signed SSL certificate for testing purposes, you can run the following:
-
-.. code-block:: console
-
-    $ openssl genrsa -out server.key 2048
-    $ openssl req -new -key server.key -out server.csr
-
-This will create a private key and a Certificate Signing Request. This CSR is typically sent to a
-CA such as Verisign, but in this example we will be using it to sign our own SSL certificate.
-
-Though most fields are self-explanatory, pay close attention to the following:
-
-+--------------+-------------------------------------------------------------------------+
-| Field        | Description                                                             |
-+==============+=========================================================================+
-| Country Name | The two letter code, in ISO 3166-1 format, of the country in which your |
-|              | organization is based.                                                  |
-+--------------+-------------------------------------------------------------------------+
-| Common Name  | This is the fully qualified domain name that you wish to secure. In     |
-|              | most cases, this will be a wildcard subdomain.                          |
-+--------------+-------------------------------------------------------------------------+
-
-To generate a temporary certificate which is good for 365 days, issue the following command:
-
-.. code-block:: console
-
-    $ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
-
-.. note::
-
-    Some SSL vendors like RapidSSL will secure both the root domain and the www subdomain if you
-    set the Common Name to www.example.com
-
-    See your vendor's documentation for more information.
-
-
-Installing the SSL Certificate
-------------------------------
+Installing SSL on a Load Balancer
+---------------------------------
 
 On most cloud-based load balancers, you can install a SSL certificate onto the load balancer
 itself. This is the recommended way of enabling SSL onto a cluster, as any communication inbound to
 the cluster will be encrypted while the internal components of Deis will still communicate over
-HTTP. To enable SSL, you will need to open port 443 on the load balancer and forward it to port 80
-on the routers. For EC2, you'll also need to add port 443 in the security group settings for your
-load balancer.
+HTTP.
+
+To enable SSL, you will need to open port 443 on the load balancer and forward it to port 80 on the
+routers. For EC2, you'll also need to add port 443 in the security group settings for your load
+balancer.
 
 See your vendor's specific instructions on installing SSL on your load balancer. For EC2, see their
 documentation on `installing an SSL cert for load balancing`_. For Rackspace, see their
 `Product FAQ`_.
 
+
+.. _router_ssl:
+
 Installing SSL on the Deis Routers
 ----------------------------------
 

docs/reference/domain-ssl.rst

@@ -0,0 +1,148 @@
+:title: Using an SSL Certificate with Deis
+:description: Enabling and configuring SSL on applications using the SSL endpoint.
+
+
+.. _domain_ssl:
+
+Using an SSL Certificate with Deis
+==================================
+
+SSL is a cryptographic protocol that provides end-to-end encryption and integrity for all web
+requests. Apps that transmit sensitive data should enable SSL to ensure all information is
+transmitted securely.
+
+To enable SSL on a custom domain, e.g., ``www.example.com``, use the SSL endpoint.
+
+.. note::
+
+    ``deis certs`` is only useful for custom domains. Default application domains are
+    SSL-enabled already and can be accessed simply by using https,
+    e.g. ``https://foo.deisapp.com`` (provided that you have :ref:`installed your wildcard
+    certificate <router_ssl>` on the routers or :ref:`on the load balancer <load_balancer_ssl>`).
+
+
+Overview
+--------
+
+Because of the unique nature of SSL validation, provisioning SSL for your domain is a multi-step
+process that involves several third-parties. You will need to:
+
+1. Purchase an SSL certificate from your SSL provider
+2. Upload the cert to Deis
+
+
+Acquire SSL Certificate
+-----------------------
+
+Purchasing an SSL cert varies in cost and process depending on the vendor. `RapidSSL`_ offers a
+simple way to purchase a certificate and is a recommended solution. If you’re able to use this
+provider, see `buy an SSL certificate with RapidSSL`_ for instructions.
+
+
+DNS and Domain Configuration
+----------------------------
+
+Once the SSL certificate is provisioned and your cert is confirmed, you must route requests for
+your domain through Deis. Unless you've already done so, add the domain specified when generating
+the CSR to your app with:
+
+.. code-block:: console
+
+    $ deis domains:add www.example.com -a foo
+    Adding www.example.com to foo... done
+
+
+Attach the Certificate
+----------------------
+
+Add your certificate, any intermediate certificates, and private key to the endpoint with the
+``certs:add`` command.
+
+.. code-block:: console
+
+    $ deis certs:add server.crt server.key
+    Adding SSL endpoint... done
+    www.example.com
+
+
+Attach a Certificate Chain
+^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Sometimes, your certificates (such as a self-signed or a cheap certificate) need additional
+certificates to establish the chain of trust. What you need to do is bundle all the certificates
+into one file and give that to Deis. Importantly, your site’s certificate must be the first one:
+
+.. code-block:: console
+
+    $ cat server.crt server.ca > server.bundle
+
+After that, you can add them to Deis with the ``certs:add`` command:
+
+.. code-block:: console
+
+    $ deis certs:add server.bundle server.key
+    Adding SSL endpoint... done
+    www.example.com
+
+
+Endpoint Details
+----------------
+
+You can verify the details of your domain's SSL configuration with ``deis certs``.
+
+.. code-block:: console
+
+    $ deis certs
+    Common Name      Expires
+    ---------------  ----------------------
+    www.example.com  2016-12-31T00:00:00UTC
+
+
+Testing SSL
+-----------
+
+Use a command line utility like ``curl`` to test that everything is configured correctly for your
+secure domain.
+
+.. note::
+
+    The -k option flag tells curl to ignore untrusted certificates.
+
+Pay attention to the output. It should print ``SSL certificate verify ok``. If it prints something
+like ``common name: www.example.com (does not match 'www.somedomain.com')`` then something is not
+configured correctly.
+
+Remove Certificate
+------------------
+
+You can remove a certificate using the ``certs:remove`` command:
+
+.. code-block:: console
+
+    $ deis certs:remove www.example.com
+    Removing www.example.com... Done.
+
+
+Troubleshooting
+---------------
+
+Here are some steps you can follow if your SSL endpoint is not working as you'd expect.
+
+
+Untrusted Certificate
+^^^^^^^^^^^^^^^^^^^^^
+
+In some cases when accessing the SSL endpoint, it may list your certificate as untrusted.
+
+If this occurs, it may be because it is not trusted by Mozilla’s list of `root CAs`_. If this is
+the case, your certificate may be considered untrusted for many browsers.
+
+If you have uploaded a certificate that was signed by a root authority but you get the message that
+it is not trusted, then something is wrong with the certificate. For example, it may be missing
+`intermediary certificates`_. If so, download the intermediary certificates from your SSL provider,
+remove the certificate from Deis and re-run the ``certs:add`` command.
+
+.. _`RapidSSL`: https://www.rapidssl.com/
+.. _`buy an SSL certificate with RapidSSL`: https://www.rapidssl.com/buy-ssl/
+.. _`root CAs`: https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/included/
+.. _`intermediary certificates`: http://en.wikipedia.org/wiki/Intermediate_certificate_authorities

docs/reference/index.rst

@@ -11,6 +11,8 @@ Reference Guide
 
     usage
     terms/index
+    domain-ssl
+    self-signed-certs
     client
     server/index
     api-v1.0

docs/reference/self-signed-certs.rst

@@ -0,0 +1,73 @@
+:title: Creating a Self-Signed SSL Certificate
+:description: How to generate a self-signed certificate for securing your application's endpoints
+
+.. _creating_self_signed_ssl:
+
+Creating a Self-Signed SSL Certificate
+======================================
+
+When :ref:`using the domain ssl <domain_ssl>` feature for non-production applications or when
+:ref:`installing SSL for the platform <platform_ssl>`, you can avoid the costs associated with the SSL
+certificate by using a self-signed SSL certificate. Though the certificate implements full
+encryption, visitors to your site will see a browser warning indicating that the certificate should
+not be trusted.
+
+
+Prerequisites
+-------------
+
+The openssl library is required to generate your own certificate. Run the following command in your
+local environment to see if you already have openssl installed.
+
+.. code-block:: console
+
+    $ which openssl
+    /usr/bin/openssl
+
+If the which command does not return a path then you will need to install openssl yourself:
+
++----------------+---------------------------------+
+| If you have... | Install with...                 |
++================+=================================+
+| Mac OS X       | Homebrew: brew install openssl  |
++----------------+---------------------------------+
+| Windows        | complete package .exe installed |
++----------------+---------------------------------+
+| Ubuntu Linux   | apt-get install openssl         |
++----------------+---------------------------------+
+
+
+Generate Private Key and Certificate Signing Request
+----------------------------------------------------
+
+A private key and certificate signing request are required to create an SSL certificate. These can
+be generated with a few simple commands. When the openssl req command asks for a “challenge
+password”, just press return, leaving the password empty.
+
+.. code-block:: console
+
+    $ openssl genrsa -des3 -passout pass:x -out server.pass.key 2048
+    ...
+    $ openssl rsa -passin pass:x -in server.pass.key -out server.key
+    writing RSA key
+    $ rm server.pass.key
+    $ openssl req -new -key server.key -out server.csr
+    ...
+    Country Name (2 letter code) [AU]:US
+    State or Province Name (full name) [Some-State]:California
+    ...
+    A challenge password []:
+    ...
+
+
+Generate SSL Certificate
+------------------------
+
+The self-signed SSL certificate is generated from the server.key private key and server.csr files.
+
+.. code-block:: console
+
+    $ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
+
+The server.crt file is your site certificate suitable for use with
+:ref:`Deis's SSL endpoint <domain_ssl>` along with the server.key private key.