How to setup Let’s Encrypt (SSL) Certificate on OpenShift

In previous posts I have described how to deploy a Node.js application to OpenShift. Now its time to add a custom alias to our Node.js application so that it is accessible through a custom domain, like Currently it is accessible only through Off course we also want valid SSL certificates for our custom domain For that we need to get a certificate (a type of file) from a Certificate Authority (CA). Let’s Encrypt is a free, automated, and open certificate authority brought to you by the non-profit Internet Security Research Group (ISRG). So obviously we will use that.

Create alias via OpenShift web console
From the Applications section choose your application (e.g. testnode) and then click on change alias. For Domain Name enter your custom domain. Mine is Leave the rest of the fields blank and click Save.

To successfully use this alias, you must have an active CNAME record with your DNS provider. The alias is and the destination app is

My provider is So I went ahead, logged in and under Subdomains -> New Sub Domain I have created a new subdomain Then under DNS Configuration for, I was able to set the CNAME record to for * ( included).

And thats it!

Create certificates
We will need a valid certificate and its corresponding private key to upload to OpenShift for the new domain Under Mac OS X I have used certbot. So go ahead and install certbot:

Once installed run:

OK, that didn’t work. Obviously Let’s Encrypt wants us to prove that we are the truthful owners of The way it verifies ownership is trying to load the above URL ( and compare the received result with the expected result.

We need to modify our Node.js application to return the hash Let’s Encrypt requires when the above URL is GET. In my router.js I have added the below code snippet:

The above code reads the hash from the requested URL and returns it. OK, lets try it one more time.

Hmmmm, that didn’t work either. At this point I should probably read the manual. But apparently when the URL is requested, it expects xxxxxxxxxxx.yyyyyyyyyyy as a result. So I went and modified my router.js again:

Giving it a try again, I finally got my certificates:

The generated certificate and private key is located under /etc/letsencrypt/archive/test.testnode.comc/cert1.pem and /etc/letsencrypt/archive/ respectively.

Upload certificates to OpenShift
For this we will use the OpenShift client tools:

Thats it! Our application is now accessible through