Cloud
May 13, 2022 By Takeyuki Nakajo 8 min read

How to configure your Cloud Foundry applications so they can be accessed by your custom domain and its SSL certificate.

If you are looking for configuration to get your Cloud Foundry applications accessed via https://<appname>.<your custom domain> instead of the default https://<appname>.mybluemix.net, you can refer to these articles in the documentation: 

If you’re still not quite sure how do the full process, however, this post will provide step-by-step instructions on how to configure your Cloud Foundry applications so they can be accessed by your custom domain and its SSL certificate.

You’ll learn how to do the following:

  1. Add a custom domain
  2. Upload a certificate for your domain
  3. Add an app route with the custom domain
  4. Configure DNS for custom domains
  5. Verify the results

Prerequisites

First, you need to make you have your own domain and its SLL certificate files:

  1. Acquire and register an Internet domain name.
  2. Obtain an SSL certificate, private key and (optionally) an intermediate certificate.

Acquire and register an Internet domain name

You will need to own the domain name that you plan to use. In addition, it must be registered with a DNS service provider that allows you to make configuration changes. For example, I own the tnexample.com domain by using the IBM Cloud Domain Name Service and use the IBM Cloud Internet Service for DNS management. 

If you don’t have a custom domain yet, you can buy a domain from any domain name registrars. Also, you can buy a domain from the IBM Cloud Domain Name Registration service. You can register your new domain here

If you don’t have a DNS service provider, you can use the IBM Cloud Internet Services (CIS). It has the Domain DNS management feature. You can create an instance of CIS here

Obtain an SSL certificate, private key and (optionally) an intermediate certificate

You will need a SSL certificate with your domain and the following files. You can obtain the files from a trusted certificate authority:

  • Certificate: A digital document that binds a public key to the identity of the certificate owner, which enables the certificate owner to be authenticated. A certificate is issued by a certificate authority and is digitally signed by that authority.
  • Private key: An algorithmic pattern used to encrypt messages that only the corresponding public key can decrypt. The private key is also used to decrypt messages that were encrypted by the corresponding public key. The private key is kept on the user system and is protected by a password.
  • Intermediate certificate: The trusted root certificate authority (CA) issues a subordinate certificate specifically to issue end-entity server certificates. This creates a certificate chain that starts at the trusted root CA, passes through the intermediate certificate and, ultimately, ends with the SSL certificate issued to the organization. You can utilize an intermediate certificate to verify the authenticity of the main certificate. 

If you don’t have any certificate authorities, you can use IBM Cloud Secrets Manager to order an SSL certificate from the certificate authority Let’s Encrypt:

1. Add a custom domain

Now you can start to configure your Cloud Foundry applications by adding a custom domain via the IBM Cloud UI (Note: You can also create domains with the ibmcloud command line tool):

  1. Log in to the IBM Cloud UI.
  2. In the banner, expand Manage and click Account:
  3. Click Cloud Foundry in the left pane menu, expand Account resources and click Cloud Foundry orgs.
  4. Click the Cloud Foundry Org name that you plan to use, then click the Domains tab:
  5. Click the Add Domain button.
  6. Enter your custom domain in the text box and select the CF org region that you plan to use, then click the Add button. For my custom domain, I use the tnexample.com domain as I plan to use the CF app route bluemix.tnexample.com:
  7. Click the Add button. After the save operation completes, you should notice a new icon in the SSL Certificate column:

2. Upload a certificate for your domain

  1. Click the Upload icon in the SSL Certificate column for the domain you added in the previous step:
  2. For each field on the Upload Certificate dialog, click the Choose button and select the appropriate file:
  3. Click the Add button and the upload process should begin. This SSL Certification is being uploaded and replicated across our servers. This process could take a few minutes:
  4. Once the upload is complete, you should also see the icon for your domain has changed to a padlock:
  5. If you click on the Details link, you will see a dialog to show the details of the certificate you uploaded:

3. Add an app route with the custom domain

Now that we have a custom domain with the SSL certificate, let’s set up an app that makes use of it. We can either create a brand new app or edit the routes of an existing app:

  1. Click Resource List in the IBM Cloud UI.
  2. Expand the Cloud Foundry Apps section to list your applications.
  3. Click the Cloud Foundry application to see the overview of the app:
  4. Expand the Actions and click Edit routes:
  5. In the Edit Routes dialog, you can add and remove routes. Add a new CF app route with the custom domain and save it:
  6. You will see the newly added CF app route in the details:

4. Configure DNS for custom domains

At this point, you have an app using a route making use of our custom domain. However, if you tried to access your app via the route, it would fail. You need to do some DNS configuration by adding a CNAME record that maps your domain to the hostname of the Cloud Foundry router:

  1. Set up a CNAME record for the custom domain name on your DNS server. Steps for setting up the CNAME record vary depending on your DNS provider. I’m using the DNS management in the IBM Cloud Internet Service (CIS). In the CIS instance page, click the Reliability page, click the DNS tab and then click the Add button in the DNS records section:
  2. Map the custom domain name to the secure endpoint for the IBM Cloud region where your app is running. Use the following region endpoints to provide the URL route that is allocated to your CF organization in IBM Cloud. For example, my app is in IBM Cloud US-South region, and I want to access the app with helloworld.tnexample.com, so I enter the host name helloworld and the alias domain name custom-domain.us-south.cf.cloud.ibm.com in the DNS CNAME record. Cloud Foundry Router endpoints:
    • US-SOUTH: custom-domain.us-south.cf.cloud.ibm.com
    • US-EAST: custom-domain.us-east.cf.cloud.ibm.com
    • EU-DE: custom-domain.eu-de.cf.cloud.ibm.com
    • EU-GB: custom-domain.eu-gb.cf.cloud.ibm.com
    • AU-SYD: custom-domain.au-syd.cf.cloud.ibm.com

      Note: The host to use varies by the region in which your app is hosted.

  3. Once you commit the changes, you will have to wait some period of time for the changes to propagate. Once the DNS changes are propagated, you should be able to access your app via the browser.
  4. If you’re still unable to access your app after a reasonable amount of time, you might find it helpful to run the nslookup command or dig command. For example, I ran it below for helloworld.tnexample.com and it properly resolved to custom-domain.us-south.cf.cloud.ibm.com: 
    $ dig helloworld.tnexample.com

; <<>> DiG 9.10.6 <<>> helloworld.tnexample.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34508
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;helloworld.tnexample.com.        IN        A

;; ANSWER SECTION:
helloworld.tnexample.com. 300        IN        CNAME        custom-domain.us-south.cf.cloud.ibm.com.
custom-domain.us-south.cf.cloud.ibm.com. 60 IN A 169.47.124.23
custom-domain.us-south.cf.cloud.ibm.com. 60 IN A 169.62.254.80
custom-domain.us-south.cf.cloud.ibm.com. 60 IN A 169.46.89.151

;; Query time: 193 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Tue May 03 15:41:40 AEST 2022
;; MSG SIZE  rcvd: 284

5. Verify the results

Now if you try to access your route via the https protocol, the browser should declare your site is properly identified and trusted. For example, the screenshot below shows the certificate details for my app from Chrome:

You can also check by using the curl command:

$ curl -v https://helloworld.tnexample.com
*   Trying 169.62.254.80...
* TCP_NODELAY set
* Connected to helloworld.tnexample.com (169.62.254.80) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=*.tnexample.com
*  start date: Apr 21 01:27:24 2022 GMT
*  expire date: Jul 20 01:27:23 2022 GMT
*  subjectAltName: host "helloworld.tnexample.com" matched cert's "*.tnexample.com"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: helloworld.tnexample.com
> User-Agent: curl/7.64.1
> Accept: */*
> 
< HTTP/1.1 200 OK
....
* Connection #0 to host helloworld.tnexample.com left intact
* Closing connection 0

Conclusion

This post covered how to configure your Cloud Foundry applications with associating your custom domain and its SSL certificate in IBM Cloud, and you’ll now be able to access your application with HTTPS with a valid SSL certificate. I’d like thank Tony Erwin for the article that provided much of the groundwork for this topic.

Was this article helpful?
YesNo
Takeyuki Nakajo
Advanced Customer Support Engineer

More from Cloud
September 9, 2024

IBM Cloud expands its VPC operations in Dallas, Texas

3 min read - Everything is bigger in Texas—including the IBM Cloud® Network footprint. Today, IBM Cloud opened its 10th data center in Dallas, Texas, in support of their virtual private cloud (VPC) operations. DAL14, the new addition, is the fourth availability zone in the IBM Cloud area of Dallas, Texas. It complements the existing setup, which includes two network points of presence (PoPs), one federal data center, and one single-zone region (SZR). The facility is designed to help customers use technology such as…

September 4, 2024

Apache Kafka use cases: Driving innovation across diverse industries

6 min read - Apache Kafka is an open-source, distributed streaming platform that allows developers to build real-time, event-driven applications. With Apache Kafka, developers can build applications that continuously use streaming data records and deliver real-time experiences to users. Whether checking an account balance, streaming Netflix or browsing LinkedIn, today’s users expect near real-time experiences from apps. Apache Kafka’s event-driven architecture was designed to store data and broadcast events in real-time, making it both a message broker and a storage unit that enables real-time…

September 4, 2024

Primary storage vs. secondary storage: What’s the difference?

6 min read - What is primary storage? Computer memory is prioritized according to how often that memory is required for use in carrying out operating functions. Primary storage is the means of containing primary memory (or main memory), which is the computer’s working memory and major operational component. The main or primary memory is also called “main storage” or “internal memory.” It holds relatively concise amounts of data, which the computer can access as it functions. Because primary memory is so frequently accessed,…

IBM Newsletters

 Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters