Setting up a domain name for your instance and getting a Let's Encrypt certificate

Introduction

By following the Getting Started guide you can launch an instance with an assigned public IP address. Supposing that your IP address is 62.217.94.10, you should be able to connect to your instance with:

$ ssh ubuntu@62.217.94.10

By following this guide, you will be able to configure a domain name for your instance (e.g. vm.test.os.grnetcloud.net) and get a free SSL/TLS certificate using Let’s Encrypt.

Table Of Contents

  1. Requirements
  2. Configure a domain name
  3. Getting a certificate with Let’s Encrypt

Requirements

Configure a domain name

In order to get a domain name for your instance, you will have to create a DNS Zone, and then add an A record for your IP address. If these words do not sound familiar, do not be afraid, since OpenStack will be doing all the hard work for you. If you are interested in learning more about how DNS works, this article from opensource.com is a great resource to get you started.

The domain name can be configured via either the Dashboard the CLI. The instructions show screenshots from the Dashboard. At the end of this section, the respective

  1. Login to the OpenStack dashboard and go Project > DNS > Zones:

  2. Click on Create Zone, complete the form and Submit.

    Fill in Name (make sure it is SOMETHING.os.grnetcloud.net., mind the final dot), Description and Email Address. Make sure Type is Primary (this is default), and leave TTL to the default value of 3600.


    If an error pops up saying that creating the zone failed, then it is very likely that the name has been taken by a different user. Try again with a different name.

  3. After a while, your new DNS zone should show up on the list. You can click on the zone name to view information about it and the record sets it contains (OpenStack will automatically create the NS and SOA records that are required for your DNS Zone to function properly).

  4. Now is the time to create your domain name. Click on the Create Record Set and complete the form: Set Type to A - Address Record, Name to NAME.SOMETHING.os.grnetcloud.net. (this will be the domain name for your instance) and Record to your public IP address. Then, click Submit.

    For this example, we create an A record for vm.test.os.grnetcloud.net pointing to 62.217.94.10. This means that whenever someone types vm.test.os.grnetcloud.net on their browser, DNS will resolve that name to the IP address 62.217.94.10, which is the IP address of our instance.

  5. That’s it! After a few seconds your domain name will be active. You can see it under the record sets list:

You should now be able to do a DNS lookup:

$ host vm.test.os.grnetcloud.net
vm.test.os.grnetcloud.net has address 62.217.94.10

And also connect using the newly configured domain name:

$ ssh ubuntu@vm.test.os.grnetcloud.net

Getting a free TLS/SSL certificate with Let’s Encrypt

About

If you want to host a web server under https, then you need a certificate. Let’s Encrypt is one of the easiest ways to get one for your server for free. The most common tool for managing Let’s Encrypt certificates is Certbot. Certbot only needs to know about your domain name, and will automatically manage the whole lifecycle of your certificate (request, retrieve and automatically renew them when they are close to expiring). Certbot also integrates very well with most popular web servers (nginx, apache, etc).

Refer to the very good Certbot website for instructions on installing certbot. For Ubuntu, these typically are:

$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install certbot

Preparation for getting a Let’s Encrypt certificate

In order for certbot to work with your instance on the OpenStack@Louros deployment, you will have to:

  • Make sure your Security Groups allow port 80.
  • Create a CAA record that allows Let’s Encrypt to issue certificates for your domain name.
Allow port 80
  1. From the Dashboard, go to Project > Network > Security Groups:

  2. Click on Create Security Group and name it allow port 80. Then click on Manage Rules:

  3. Click on Create Rule. Make sure Direction is Ingress and Port is 80. Click on Add.

Create CAA record for your DNS zone

As of the creation of this guide, creating CAA records is not supported by the Dashboard. You will need to use the OpenStack CLI:

  1. Retrieve the Zone ID of your DNS zone SOMETHING.os.grnetcloud.net you have created:

    $ openstack zone list
    akolaitis@eye:~$ openstack zone list
    +--------------------------------------+------------------------------+---------+------------+--------+--------+
    | id                                   | name                         | type    |     serial | status | action |
    +--------------------------------------+------------------------------+---------+------------+--------+--------+
    | ZONE-PRIMARY-ID                      | test.os.grnetcloud.net.      | PRIMARY | 1584644348 | ACTIVE | NONE   |
    +--------------------------------------+------------------------------+---------+------------+--------+--------+
    
  2. Create a CAA record allowing Let’s Encrypt to issue certificates for your domain. Replace test.os.grnetcloud.net with your own domain, and ZONE-PRIMARY-ID with the output you got from the previous command:

    $ openstack recordset create ZONE-PRIMARY-ID test.os.grnetcloud.net. --type CAA --record "0 issue letsencrypt.org"
    

Getting a Let’s Encrypt certificate

With certbot installed and the rest of the configuration ready, request a standalone certificate from inside your instance like so:

$ certbot certonly --standalone

Done

That’s it! You have successfully managed to setup a domain name for your machine, and also get an SSL certificate with Let’s Encrypt!

Aggelos