I keep forgetting how to enable SSL on my websites. I need a basic certificate I've no need for super certificates, I'm not a bank!
So LetsEncrypt, a free SSL certificate service will do the job nicely.
Here I describe how I install LetsEncrypt certificates using the GetSSL script on AWS EC2 instances.
GetSSL is a handy bash script that saves me having to install new repositories or software.
1. Get a terminal on your EC2 instance
I'm using SSH sessions to manage my EC2 instances. I think AWS offers a browser based terminal too but my preference is SSH.I tend to do all this as root (may not be the best idea).
$ sudo su -
2. Get the GetSSL script onto your AWS EC2 instance
As I run as the root user, my installation of the script(s) and certificates will all end up in /root.$ curl --silent https://raw.githubusercontent.com/srvrco/getssl/master/getssl > getssl ; chmod 700 getssl
3. Create and customise initial GetSSL config
After step 2 you will have the getssl script on your EC2 instance, now we will use that script to generate default configuration for the domain we're setting up.You could optionally create a (symbolic) link at this point in /bin so the script is on the PATH and therefore usable without having to provide the full path to the script.
$ cd /bin
$ ln -s /root/getssl getssl
Of course you want to replace mydomain.com with your domain name (without www) in the instructions that follow.
This will create the basic config for "mydomain.com":
$ getssl -c mydomain.com
If you've also run these commands as root, your GetSSL config will live in /root/.getssl
As this is a 'dot' directory you will only see it with 'ls' if you use 'ls -a'.
In /root/.getssl you'll see a getssl.cfg, this is the default configuration. Options in this file will be used unless you override them with settings in the per-domain config files located in /root/.getssl/mydomain.com/getssl.cfg
Now you want to edit the domain specific config: /root/.getssl/mydomain.com/getssl.cfg
A config file for one of my AWS hosted domains setup recently (I've chopped a lot of stuff I don't use):
CA="https://acme-staging-v02.api.letsencrypt.org"
# Recall we setup with a www-less domain earlier?
# Here we account for that so the certificate will work for domain with www and without
SANS="www.mydomain.comk"
ACL=('/var/www/html/.well-known/acme-challenge')
USE_SINGLE_ACL="true"
RELOAD_CMD="systemctl restart httpd.service"
SERVER_TYPE="https"
4. Generate and install certiticate
The -u tells the script to update itself from the Git repository if appropriate.$ getssl -u mydomain.com
After some output in the console, you should see a .key and a .crt file in /root/.getssl/mydomain/
Set values in the .getssl/mydomain/getssl.config file, these cause certificates to be copied to specified location:
DOMAIN_CERT_LOCATION="/etc/ssl/certs/mydomain.crt"
DOMAIN_KEY_LOCATION="/etc/ssl/certs/mydomain.key"
CA_CERT_LOCATION="/etc/ssl/chain.crt"
Now we need to tell our webserver (I use Apache httpd) where to find the cert info.
5. Configure Apache http server to use LetsEncrypt generated SSL certificate
Create or edit /etc/httpd/conf.d/mydomain.conf file
<VirtualHost *:443>
ServerName mydomain.com
ServerAlias www.mydomain.com
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /etc/ssl/certs/mydomain.com.crt
SSLCertificateKeyFile /etc/ssl/certs/mydomain.com.key
SSLCertificateChainFile /etc/ssl/chain.crt
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
</VirtualHost>
6. Crontab auto renew of certificate
Cron is a process on the Amazon linux server that lets us setup scheduled tasks.Here I add a call to the getssl script to make sure it gets auto renewed as needed by running the script weekly:
Edit cron jobs with
$ crontab -e
Setup the getssl job:
0 1 * * 3 root getssl -u mydomain.com
7. Update webserver to force www subdomain and ssl
This step is not so much about SSL but SEO impact.I want to make sure any requests to http://mydomain.com are redirected to http://www.mydomain.com.
I also want to redirect http:// requests to use the SSL certificate at https://
In your DocumentRoot (for me that's /var/www/html/) add or edit the .htaccess file adding as follows:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [R=301,L]
8. Letsencrypt / getssl with Apple (iPhone) devices
Using the config detailed above I found I was getting errors in iPhone browsers saying my letsencrypt certifiacte was untrusted and the site was effectively blocked on iPhones.
After adding the SSLCertificateChainFile (chain.crt) config into the apache and getssl config files I no longer saw the untrusted message with Apple iPhone browsers.
I'm not sure I understand the detail well enough to explain here other than to say it's to do with providing more info to the browser about who (organisations) trusts the certificate and as Apple trusts that organisation it can now trust my letsencrypt certificate.
References
Setting up GetSSL on AWShttps://millionclues.com/tutorials/lets-encrypt-on-amazon-aws-ec2-with-getssl
AWS documentation around certbot (an alternative to getssl) to configure LetsEncryt
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/SSL-on-amazon-linux-2.html#letsencrypt
Using htaccess
https://perishablepress.com/stupid-htaccess-tricks/#gen3