Clarity on SSL-support (Let's Encrypt/third-party) for custom domain

[Kentoseth]

I have searched through a number of past issues and I don't think this question has been asked yet (specifically). Threads of ref are: #1995 #4225

Here is the breakdown from my side:

1. I am running a website at a generic-route like: https://[subdomain].[xxxx].flynnhub.com
2. I have followed the instructions here: https://flynn.io/docs/apps#custom-domains and added my own: subdomain.mydomain.com
3. Once this propagates, I will be able to visit: subdomain.mydomain.com , but if I have not added the generated-cert to my test-browsers (or if other users visit the custom domain or even the regular domain at 1) above, they will get errors for an invalid cert)

With #1995 and https://flynn.io/docs/apps#https , do I need to generate a Let's Encrypt certificate manually so that I can secure: subdomain.mydomain.com > https://subdomain.mydomain.com ?

If YES, can anyone explain the basic steps of doing this (as I am unsure if HTTPS should be done for both subdomain.mydomain.com && [subdomain].[xxxx].flynnhub.com) ?

PS. I understand that there exists multitudes of resources on how to certify a domain/subdomain (with Let's Encrypt) regularly, but the question above is for the Flynn-specific use-case

[bbaptist]

If you want user to be able to access your application on your custom domain you need to add a route to Flynn for subdomain.mydomain.com. You also need to create or order an SSL certificate, for instance from Let's Encrypt, using GetSSL is an easy way to do that. Once you have the signed certifcate you update the route with the cert and key. You could also easily write a post-order script to install that certificate to your route in Flynn you created.

[Kentoseth]

@bbaptist

What path did you use for this:

# ACL=('/var/www/subdomain.mysite.org/web/.well-known/acme-challenge')
#     'ssh:server5:/var/www/subdomain.mysite.org/web/.well-known/acme-challenge'
#     'ssh:sshuserid@server5:/var/www/subdomain.mysite.org/web/.well-known/acme-challenge'
#     'ftp:ftpuserid:ftppassword:subdomain.mysite.org:/web/.well-known/acme-challenge')

?

[Kentoseth]

So for anyone needing (free) SSL for your flynn site, here are my instructions for doing so:

1. Install certbot-auto: https://certbot.eff.org/docs/install.html#certbot-auto

2. Validate your domain/subdomain with the different options certbot offers (DNS validation is quite easy)

3. Once validated, you will get a fullchain.pem file and a privkey.pem file

4. You may need to cat and save those files somewhere

5. Run the following command:

flynn route update http/[route-ID] --tls-cert=fullchain.pem --tls-key=privkey.pem

Success!

[hadifarnoud]

@Kentoseth I've done exactly as said here. I have a fullchain (consist of 3 different certificates) and privatekey and a certificate file. I used fullchain.pem and privkey.pem in this case. it says:
validation_error: Certificate invalid: tls: failed to find any PEM data in key input

service provider gave me these: x.509, intermediate certificate, root certificate

there are no docs on what is needed for route update for SSL.