Having an SSL secured website is no longer just a preference for sites handling sensitive data but is a necessity for all websites. There are many good reasons to secure your site even if only to improve the ranking in Google search.
Let’s Encrypt is a Certificate Authority organization providing free SSL certificates. The project is supported by many large technology organizations with the goal of securing all websites on the web.
The certificates are free and are valid for three months at a time.
A few assumptions before proceeding:
-You have installed the AMI Linux on the EC2 instance
-You have installed httpd (Apache) using standard options
-Your installation is done using the standard (out-of-the-box) ec2-user
-You have a DNS entry to point your domain name to the EC2 instance
- Start apache if not already started
sudo service httpd start
- Update all installed packages
sudo yum update -y
- Install mod_ssl apache module
sudo yum install -y mod24_ssl
- Bounce apache
sudo service httpd restart
The server will now work with HTTPS but using an untrusted certificate that will cause a warning to be displayed in the browser. - Install git. Git is needed to download the letsencrypt code.
sudo yum install git
- Clone the letsencrypt repository (download)
git clone https://github.com/letsencrypt/letsencrypt.git
- Run the letsencrypt utility to generate and install certificate files. Note the following parameters:
-d YOUR_DOMAIN
– This is the domain name. You have to have DNS configured so your domain points to the EC2 instance using the public IP.
--webroot-path
– This path should match your DocumentRoot path in httpd.conf. By default it’s /var/www/html
--email YOUR_EMAIL
– This should be the email address you want to use for notifications related to letsencrypt
--debug
– Necessary due to experimental AMI (Amazon Linux) support.
Full command:
~/letsencrypt/letsencrypt-auto certonly --renew-by-default -d YOUR_DOMAIN --authenticator webroot --webroot-path /var/www/html --email YOUR_EMAIL --agree-tos --debug
- A successful run should result in a message similar to the following. Note the path to the certificate files: /etc/letsencrypt/live/YOUR_DOMAIN
The path will be needed to finish apache configuration.
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/YOUR_DOMAIN/fullchain.pem. Your cert
will expire on 2016-10-15. To obtain a new or tweaked version of
this certificate in the future, simply run letsencrypt-auto again.
To non-interactively renew *all* of your certificates, run
"letsencrypt-auto renew"
- If you lose your account credentials, you can recover through
e-mails sent to YOUR_EMAIL.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le..
- Edit the Apache SSL configuration file. The file came with the mod_ssl installation and is loaded automatically by apache.
sudo vi /etc/httpd/conf.g/ssl.conf
- Update the following entries in the file
SSLProtocol | -SSLv2 -SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2 |
SSLHonorCipherOrder | on |
SSLCipherSuite | ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS |
SSLCertificateFile | /etc/letsencrypt/live/YOUR_DOMAIN/cert.pem |
SSLCertificateKeyFile | /etc/letsencrypt/live/tools.vertisq.com/privkey.pem |
SSLCertificateChainFile | /etc/letsencrypt/live/tools.vertisq.com/chain.pem |
- You should also redirect all traffic to HTTPS. To do so, edit the httpd.conf file
sudo vi /etc/httpd/conf/httpd.conf
- Add the following section at the end of the file
SSL Redirect
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]
- Bounce apache
sudo service httpd restart
The site should now show as secured in the browser. Keep in mind that the certificate will expire in 3 months. I will share steps on how to configure automatic renewal in another post.
References
Mozilla SSL Configuration Generator
Amazon guide to installing LAMP Web Server on Amazon Linux
Amazon guide to enabling SSL
Amazon guide to installing LAMP Web Server on Amazon Linux
Amazon guide to enabling SSL