CirrusGrid PaaS provides multiple possibilities to configure SSL for the environments. The available options depend on the particular topology and target domains:
- environments with public IP as an entry point can utilize the Let’s Encrypt SSL and Custom SSL options to automatically secure connection to any domain attached
- the Built-In SSL option allows to automatically configure SSL for the base domain of the environment without public IP
- in case SSL should be set up for custom domains on the environment without external IP the Custom SSL via SLB feature can be used
The feature is designed to give an ability to set up Custom SSL certificates without obligatory external IP attached to the entry point of the environment. As the first step of this approach, a private key, the domain certificate and, optionally, intermediate certificate are uploaded to the CirrusGrid database. Next, the data is synced across the cluster of Shared Load Balancers. The selection between the SSL certificates on SLB is performed over SNI.
Server Name Indication (SNI) is an extension to the TLS protocol, which ensures that clients send a name of the domain they request. SNI allows server to provide a certificate with the correct domain even in the case when a full list of hostnames cannot be known in advance.
Currently, all the configurations are performed via API (the UI support will be implemented in the future releases):
- GetSSLCerts (session, [ids]) – lists all certificates for the current user (or the ones specified in the ids parameter)
- AddSSLCert (session, key, cert, [interm]) – uploads private key, domain certificate, and intermediate certificate to Jelastic database (can be provided via links or as a parameter body)
- EditSSLCert (session, id, [key], [cert], [interm]) – updates the specified certificate (to delete intermediate certificate use “*”, “null”, or “none” as a value)
- RemoveSSLCerts (session, ids) – removes the specified certificates (use “*” to select all); assigned certificates cannot be deleted and should be unbound first
- BindSSLCert (session, envName, certId, [entryPoint], [extDomains]) – binds specified SSL certificate to environment or, if SLB is set as entyPoint, binds it on SLB to the listed external domain names
- UnbindSSLCert (session, envName, [extDomains]) – unbinds SSL certificate from the environment or, if the extDomains parameter is provided, from the listed custom domains on SLB
- BindExtDomains (session, envName, extDomains, [certId]) – binds custom domain names to the environment and, if the cetId parameter is provided, installs the appropriate certificate on SLB
- GetExtDomains (session, envName) – lists custom domains attached to the environment
So, to attach custom SSL to the environment without public IP through the SLB, you need to upload your certificates to CirrusGrid database (AddSSLCert) and bind it to the new or existing custom domains (BindExtDomains or BindSSLCert respectively).