Inside Gratipay

This is Gratipay's internal company portal. First time here? Welcome! Start at the top. :-)

Install a TLS Certificate

Our certificate vendor is Let's Encrypt, and the way we get certificates from them is via their certbot command-line tool. We have several domains to secure, plus aliases, and the way to verify ownership and install the certificate vary for each. They are described below.

Let's Encrypt enforces frequent cert rolling via 90-day expirations. Once we hit our first expiration cycle and sort out how to renew, we should update these docs. Eventually we can explore further automation.

Install certbot locally, then run it in the certs directory of an Inside Gratipay repo checkout, with the provided configuration file:

git clone
cd certs
certbot certonly -c

You'll have to agree to having your IP address publicly logged, and then you'll be prompted to verify ownership of the domains via http-01 challenges. For that, visit the ACME Challenger (you'll have to login as an admin to use it). Go through the challenge cycle for and for each alias (there are a bunch, including www.* variants), by appending the token to the above link, and then entering the authorization response in the form you find there.

Once you have the cert, install it at Heroku:

cd tmp/live/
heroku certs:update --app gratipay fullchain.pem privkey.pem

Once you're done, rm -rf tmp to clear out sensitive files from your laptop.


Our CDN uses as its origin server, and we have a read-only ACME Challenger endpoint under there. Therefore, the process to verify the domain is just like for create the challenge response in the normal ACME challenger, and Let's Encrypt should find what it needs in the right place.

However, we use the same cert for downloads.* as for assets.*, since both are hosted at MaxCDN. But since downloads is a PUSH zone, you have to (manually) upload a file via FTP in order to verify the domain. Here's how to reset the ftp password. Aaaaaaaaaand there's no way to serve a hidden directory, so you have to use DNS verification after all, so you may as well use it for assets.*, too (how do we write a config file that splits the authenticators by domain?). Sorry. 😞

(P.S. The reason we don't just do all verification via DNS is because that's harder to automate … though I guess DNSimple does have an API. Hmm …)

To install the cert, login to MaxCDN (creds are in LastPass). Go to Account > SSL to add the new certificate, then navigate to EdgeSSL > SNI for each zone, and select the new cert. After installing for both zones, go back to Account > SSL and delete the old cert.

Delete the TXT records from DNS.

cd certs/

You should find a certbot-auto executable there, along with a certbot.ini configuration file, some logfiles, etc. I think all you need to do is ./certbot-auto renew, but since we're still in our first cert cycle with Let's Encrypt, it's hard to know for sure. 😌

To verify domains, I ran ./certbot-auto certonly -c certbot.ini, creating (and subsequently cleaning up) files under:

The cert and key are symlinked into /etc/nginx/certs/, so you shouldn't need to do anything other than /etc/init.d/nginx reload once the cert/key are updated.

Table of Contents