SSL in Galaxy
Add SSL to Meteor Galaxy

May 2016

Server management is not my thing. That was one of the primary reasons I chose to host www.glulessapp.com on Galaxy. So when it came time to install a SSL certificate I was in unfamiliar territory. If you've found yourself in the same situation then read on.


Create a key

The first step to generating a SSL certificate is creating a key, the key is then used to create a CSR (certificate signing request) which is then provided to a certificate authority and used to generate the actual certificate.

All of the tutorials I could find on the subject stated that I needed to run some commands on the server, to generate the key. The problem is that with Galaxy we don't have access to the servers. However, I found out (on that wonderful site, StackOverflow) that you can generate the key on ANY computer, as long as this key finally ends up on your server. First, you'll need openssl on your computer. If you're on a Mac, then brew will serve you well:

$ brew install openssl

Then you can create the key like so:

$ openssl genrsa -out myhost.mydomain.com.key 2048

Create a CSR

The final command you need to run on your local machine generates the certificate signing request. When you execute this command you'll be presented with some choices to fill out.

  • Make sure you set the Common Name field to your app's address. If you intend to secure the URL https://www.yourdomain.com, then your CSR’s common name must be www.yourdomain.com. If you plan on getting a wildcard certificate make sure to prefix your domain with an asterisk, example: *.domain.com.
  • Leave the password field blank.
$ openssl req -new -sha256 -key myhost.mydomain.com.key -out myhost.mydomain.com.csr

Supply the CSR to a certificate authority

I used godaddy as my certificate authority, mainly because their $3.99/year offer lured me in, and their landing page made it all sound so easy. You'll need to follow their steps which will include uploading the .csr file and also responding to some emails, which they will send to the registered contact from the whois records. I bought my domain through AWS and when I'd set it up I chose the option to keep my contact details private. To make sure that godaddy could contact me (the registered owner) I had to temporarily show my contact information on the domain records.

Combine your .crt files

godaddy supplied me with 2 .crt files. The larger file (with the word 'bundle' in it's name) needs to be concatenated onto the end of the smaller file. You can simply use a plain old text editor to do this. Note that if you just supply the smaller file to Galaxy then your certificate will appear fine on computers but will fail on mobile devices. Hackviking explains it:

Phone browsers have less trusted root and intermediate certificates than many desktop browsers. This can make your https site look good on the web but fail on mobile devices. Errors like "unable to verify the identity of the server" and others along those lines can show up. This is because the certification chain can not be verified. Doesn't matter what supplier of SSL certificates you use they all end up in a few root certificates that are shipped with browsers and operating system as trusted certificates.

Upload the key and certificate to Galaxy

We're on the home straight now. All you need to do is go to the settings page for your app and scroll down to the SSL section. Upload your key and certificate and you'll be rewarded with that beautiful padlock in the browser.

Redirect http to https

To make sure that any http traffic is redirected to https simply install the following force-ssl

$ meteor add force-ssl
Please enable JavaScript to view the comments powered by Disqus.