Hey CFers,
Like many of you, I have been using IIS on Windows to host my CFML apps for many years. Since having an SSL certificate is essentially mandatory these days, I have started using the free certificates offered by LetsEncrypt. These are great for small business sites that don’t want to shell out money for a paid SSL certificate or for small side-projects. The only downside is that these certificates need to be renewed every few months. Luckily, there’s a fantastic (freemium) tool called Certify SSL Manager (https://certifytheweb.com/) which can automate the process of renewing and re-binding all of your IIS website’s certificates for you. This was a huge game-changer for me since I could just “set it and forget it” and never had to worry about SSL renewals again.
Now, I’m currently in the process of seeing if I can modernize my deployment strategy on newer apps and I’d like to look into using the built-in Commandbox servers which use Undertow instead of IIS. I’ve read the section of the docs that describes how to bind SSL certificates, but from what it looks like, you already need to have a verified/downloaded certificate already and I don’t see any means of automating the process.
Is there a way within the Commandbox ecosystem to accomplish the same thing that software like Certify SSL Manager does for Commandbox/Undertow? It would be great if there was a way to automatically request/bind/renew certificates for production apps that already have a publically accessible domain name?
You can also get free SSL through cloudflare that terminates there and then proxy to your server over HTTPS.
As far as your question, I don’t know enough about what Certify does to answer. Even with IIS, you still must have the cert on your server’s harddrive, right? How exactly does the new/updated cert make it to your server? Is there some plugin for IIS that actively “pulls” the cert when the server starts? if so, that sounds like a perfect CommandBox module-- something I think has already been talked about before but no one had the interest to actually make it yet.
Thanks for the info on Cloudflare. I have never used them before, so I’ll have to look into it more.
I know you can automate the LetsEncrypt process through a series of Powershell commands as I have seen several “how to” posts on the subject. Here’s an example. I have a feeling that Certify SSL Manager is a pretty GUI wrapper for a Powershell script that runs behind the scenes.
I wonder if there’s a way to simulate the same Powershell style commands from within Commandbox? If it is indeed possible, that would be pretty slick to be able to request and renew certificates right from our good friend Commandbox!
I guess I’m still a little confused how CommandBox would need to work any differently than any other server. For instance, I think we used to use let’s encrypt on some of our Ortus servers. Luis simply pointed NGinx at a /var/path/to/cert.pem on the server and then setup a cron job to regenerate every month or so. NGinx never really knew or cared that the cert would change from time to time so long as it was always on the same file system path and Nginx was restarted often enough to pick it up before it expired. How would this be any different if you swap Nginx out for CommandBox in the conversation?
It sounds like you’rr saying you had some better or more automated workflow with IIS, but that;'s what I’m a little fuzzy on. What exactly did IIS do for you that CommandBox can’t. Now, I can imagine how CommandBox could be better with a server start interceptor, but I’d like to at least understand what it was IIS was doing for you previously.
This is the letsencrypt process. It shouldn’t be hard to deal with the verification automation, but there would still need to be some method of getting the final cert into undertow.
Sorry if my original message was confusing. I’m probably lacking some of the right terminologies to properly describe what I’m looking to accomplish.
The only reason I currently use IIS now is that I’m comfortable with it and I have my workflow ingrained in my brain. However, I’d like to very much move away from the Microsoft ecosystem and start learning how to replace IIS with Coldbox’s built-in server so I can create apps (and deployments) that are less dependent on a particular operating system. I just seem to be missing a few pieces of the puzzle, namely acquiring, binding, and auto-renewing certificates from LetsEncrypt that would help me keep the simplicity of my IIS deployments and give me the power and flexibility that Commandbox offers.
I suppose I was hoping there was a magic bullet within Coldbox or perhaps a Forgebox module that would enable you to simply type something like ssl install site=mysite.com provider=letsencrypt which would take care of:
Requesting the SSL certificate from LetsEncrypt
Bind the completed certificate to Undertow’s instance of mysite.com
Automatically renew and rebind the certificate every X number of days.
It sounds like the binding part (item 2) could be done with the following Commandbox commands:
server set web.SSL.certFile=/path/to/dev_mydomain_ext.crt
server set web.SSL.keyFile=/path/to/dev_mydomain_ext.key
The automated renewal system (item 3) could be set up within an internal Coldbox scheduler (Lucee/ACF both have scheduled tasks so I assume Commandbox has them too).
However, I don’t know if it is possible to request a certificate from LetsEncrypt directly from within Commandbox. That would be pretty cool though!
I’m not sure if it is feasible, but imagine being able to define the SSL parameters in the server.json file, just like specifying which CFML engine you want. That would be pretty awesome! Here’s a make-believe fantasy example:
Yes, yes, I get the 50,000 ft overview. My question was more about Certify specifically and just exactly what it did outside of the little cron job workflow I described.
I clicked the link and scrolled down that main page and it seems like they have some software you install on your server with an actual integration into IIS that not only makes the HTTP web service requests out to get the new certs but also modifies the IIS config on the fly for you to use those certs. That was the only piece I was missing.
(Lucee/ACF both have scheduled tasks so I assume Commandbox has them too).
You can technically create a scheduled task in CommandBox but you’d have to use the cfschedule tag and it would only run when the actual CLI itself was running so I don’t think it’s very helpful here.
As far as when/how you generate certs, I think options are:
Manual (whether it’s a GUI like Certify or a CLI command) – this should probably exist, but isn’t a good long term workflow
Automatic on a schedule - This would require some sort of cron, scheduled task, etc to randomly fire every X days to get the new cert. I’m fairly certain the server would need to restart in order to pick it up
Automatic on server start - This could tie into CommandBox as an onServerStart interceptor or something that checks if a new cert is needed when the server starts. Easy and no scheduler is needed, but the downside is if the server stays up for 6 months, it would never trigger.
I don’t know if it is possible to request a certificate from LetsEncrypt directly from within Commandbox.
I don’t see why not. I assume it’s just an API call you could make with CFHTTP. Or, worse case scenario is it’s a local CLI you need to have installed that CommandBox can execute in the native shell.
It sounds like the binding part (item 2) could be done with the following Commandbox commands:
server set web.SSL.certFile=/path/to/dev_mydomain_ext.crt
server set web.SSL.keyFile=/path/to/dev_mydomain_ext.key
Yes, that’s exactly how you could configure a cert file for CommandBox to use.
but imagine being able to define the SSL parameters in the server.json file
If there was a CommandBox module someone wrote that did this, then yes of course it could read custom properties from the server.json file. This is exactly what other modules like FusionReactor or hostsupdater do right now.
So the long and short of this is it’s all possible and has even been talked about before. It’s just that no one has cared enough to spend their time making it I don’t currently use SSL in CommandBox myself so I don’t care to spend the time unless someone is sponsoring the feature. You’re more than welcome to take a stab at this or try and get some people from the community to help out writing a module that did stuff like
Build an integration to the lets encrypt API to create certs
Added commands for generating server cert like in a “server cert xxx” namespace that pulls information directly from the CommandBox server
Build an interceptor that can automatically do cert related things every time a server starts up
Ah, sorry for the misunderstanding. Yes, you nailed it. The only difference is that you don’t need to stop/start a website in IIS when you change or re-bind certificates.
I’ll have to play around with setting up my own cron job. If I have to use the operating system, that would be less desirable as it would be great to come up with a universal solution built solely in Commandbox. Perhaps if I configure Commandbox as a service using NSSM (as seen here and here), I could take advantage of cfschedule as you mentioned since Commandbox would always be running in the background.
Either way, I think the first step is to successfully request a cert from LetsEncrypt using Commandbox. I’ll check out the resources @dae…@gmail.com shared to see if I can figure it out. That alone would make for a useful module in Forgebox that hopefully others in the community will get use of even if I can’t figure out the other components.
The only difference is that you don’t need to stop/start a website in IIS when you change or re-bind certificates.
Interesting to know. Honestly, it’s possible Undertow can do live reloads of that too. I’ve never tried but I know there is a change listener that Undertow supports.
Perhaps if I configure Commandbox as a service using NSSM (as seen here and here)
Another, much easier way to run your site as a service using NSSM is to use our commercial CommandBox Service Manager module which also supports Mac and Linux init.d and system.d
[https://www.ortussolutions.com/products/commandbox-service-manager](https://www.ortussolutions.com/products/commandbox-service-manager)
I could take advantage of cfschedule as you mentioned since Commandbox would always be running in the background.
That’s not actually how it works. The service runs the server, not the CLI. It just uses the CLI to kick off the server. Now that said, the current implementation of using a --console server does technically leave a small CLI process in place to buffer the console logs, but I plan to change that in the future so don’t get used to it.
I don’t currently use SSL in CommandBox myself so I don’t care to spend the time unless someone is sponsoring the feature. You’re more than welcome to take a stab at this or try and get some people from the community to help out writing a module that did stuff like