How to install lets encrypt ssl in amazon linux AMI? - ssl

How to install lets encrypt SSL in amazon Linux AMI.i want to implement the lets encrypt SSL for my domain.

There are a lot of solutions online; I think you have to keep on trying until you find one that works for you. After a lot of experimentation, what worked for me was following the certbot instructions for Apache and CentOS 6. The official link is here, but for consistency:
Run the following commands in the terminal:
Download Certbot
wget https://dl.eff.org/certbot-auto
sudo mv certbot-auto /usr/local/bin/certbot-auto
sudo chown root /usr/local/bin/certbot-auto
sudo chmod 0755 /usr/local/bin/certbot-auto
Execute Certbot
sudo /usr/local/bin/certbot-auto --apache
If there's an error message, read the warning and run (if you feel comfortable):
sudo /usr/local/bin/certbot-auto --apache --debug
Here, you may be asked to complete some fairly intuitive questions to configure your installation. If not, what worked for me won't work for you. :(
Automate Renewal
Test to see if renewing your certificate works:
sudo /usr/local/bin/certbot-auto renew --dry-run
If so, navigate to your system's crontab (usually somewhere around /etc/crontab/) and add the following code to check (and run, if necessary) and auto-renewal at midnight and noon everyday:
0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && /usr/local/bin/certbot-auto renew

Here I will explain how to configure let's encrypt in Linux AMI. I did it successfully in my Linux AMI.i followed the following steps to get it done.
1. SSH into your server.
2. Download certbot (the Let’s Encrypt client need to install for renew and install ssl): **wget https://dl.eff.org/certbot-auto** then **chmod a+x certbot-auto**
3. Run certbot to fetch your certificates.follow the below code
sudo ./certbot-auto --debug -v --server https://acme-v01.api.letsencrypt.org/directory certonly -d YOUR_DOMAIN [Replace your Domain in YOUR_DOMAIN placeholde]
4. while generating it will ask you the recover or support email please add your email.
5. certbot will place your certs in the following paths…
Certificate: /etc/letsencrypt/live/YOUR_DOMAIN/cert.pem
Full Chain: /etc/letsencrypt/live/YOUR_DOMAIN/fullchain.pem
Private Key: /etc/letsencrypt/live/YOUR_DOMAIN/privkey.pem
6. Go to your apache config where you created a virtual host it can be either in httpd.conf or conf.d.
7. Add the virtual host for 443 port
<VirtualHost *:443>
ServerAdmin ADMIN_EMAIL
ServerName YOUR_DOMAIN
ServerAlias www.YOUR_DOMAIN
DocumentRoot "YOUR FOLDER PATH"
AllowEncodedSlashes On
ErrorLog "/var/log/httpd/YOUR_DOMAIN_error.log"
CustomLog "/var/log/httpd/YOUR_DOMAIN-sslaccess.log" common
<Directory YOUR FOLDER PATH>
DirectoryIndex index.php
Options -Indexes
AllowOverride All
</Directory>
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/YOUR_DOMAIN/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/YOUR_DOMAIN/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/YOUR_DOMAIN/fullchain.pem
</VirtualHost>

You need to install Certbot if you are running CentOS 7 or 8 since Certbot-auto is deprecated and doesn't work beyond CentOS 6.
You can check which CentOS you are running by using the following command.
rpm -E %{rhel}
And use this tutorial from amazon to install Certbot in Amazon Linux
sudo yum update
sudo yum install -y certbot python2-certbot-apache
If you get "Package not found" error, then try the Prepare to Install section from the same blog.
sudo wget -r --no-parent -A 'epel-release-*.rpm' https://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/
sudo rpm -Uvh dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-*.rpm
sudo yum-config-manager --enable epel*

Related

Apache2 Proxy Pass

I've been playing around with trying to stand up a server that simply proxies requests to it to a different website (https://github.com) in this simple example and I just haven't been able to get it to work.
I have a simple Dockerfile
FROM ubuntu:14.04
RUN apt-get update -y && \
apt-get install -y apache2 libapache2-mod-wsgi curl
RUN a2enmod proxy
RUN a2enmod proxy_http
RUN service apache2 restart
That I'm running with docker run -it -p 80:80 --name apache proxy-test /bin/bash after building it
Once in the container, I created this file under /etc/apache2/sites-available/site1.docker.biz.conf:
<VirtualHost *:80>
ServerName test-apache.biz
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass "/github" "https://github.com"
ProxyPassReverse "/github" "https://github.com"
</VirtualHost>
Then ran:
a2ensite site1.docker.biz.conf
service apache2 reload
I want to be able to go to http://localhost:80/github and see https://github.com but I get a The requested URL /github was not found on this server.. Am I missing something?

ssl installation on apache ubuntu16.0.4

My hosting (instance) is on EC2 and domain is on Nominalia. I am using ubuntu16.0.4 and Laravel 5.4, I have generated CSR, key file, certificate file and kept on root of server that is /var/www/html
Now I have to place
<VirtualHost *:443>
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /var/www/html/sitename.com.crt
SSLCertificateKeyFile /var/www/html/sitename.com.key
SSLCertificateChainFile /var/www/html/intermediate-ca.crt
</VirtualHost>
I am not getting where I shall keep it. I tried to keep in /etc/apache2/sites-enabled/000-default.conf or /etc/apache2/sites-enabled/default-ssl.conf or /etc/apache2/sites-available/default-ssl.conf but it did not work and I am getting errors
In chrome
This site can’t be reached
and in Mozilla
Secure Connection Failed
Site is working without https
I also tried to keep both "VirtualHost *:443" and "VirtualHost *:80" in /etc/apache2/sites-enabled/000-default.conf but it also did not work. In this case, I am getting "This site can’t be reached"
There are lot of articles that I am reading from few days but not getting how to do final setting so that my site start working after I successfully placed all certificate files.
Recently Chrome stoped accepting self-signed Certificates. You can save a lot of effort using Let's Encrypt SSL Certificates. They are free, but valid for 90 days only. But you can configure auto renewal process, so you don't need to worry, because all things happens behind scenes.
Installation on Ubuntu it's simple:
1. Add repository to apt
sudo add-apt-repository ppa:certbot/certbot
After complete, update apt-get:
sudo apt-get update
2. Install Certbot
Certbot is a client tool for managing certificates from Let's Encrypt.
Run:
sudo apt-get install python-certbot-apache
3. Set up SSL Certificate
sudo certbot --apache -d sitename.com
If your domain could be accessed with www prefix run this command instead:
sudo certbot --apache -d sitename.com -d www.sitename.com
From now Certbot will run automatically via /etc/cron.d to check for expiring certificates.
You can validate process by running:
sudo certbot renew --dry-run.
It's done.
Full documentation for Certbot is here: https://certbot.eff.org/docs/

Letsencrypt certificate for www and non-www domain

I have generated SSL certificate like so:
sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
./letsencrypt-auto certonly --standalone
Then I was asked for email ... and a domain name. I entered example.com
I figured out that I could enter multiple domains to be included in one certificate using different approach. E.g.:
sudo -H ./letsencrypt-auto certonly --standalone -d example.com -d www.example.com
I wonder if I could have entered multiple domains when I was promoted for them in a dialog or now I need to regenerate using a different approach?
Do I need to remove previous letsencrypt installation before going new way?
UPDATE -> SOLVED
sudo ./certbot-auto certonly --standalone -d example.com -d www.example.com
You do not need to remove the installed certificate.
You can extend it to your sub-domain if you're using the same domain. Do the following:
sudo certbot certonly --standalone -d example.com -d www.example.com
When prompted for Expanding or Cancelling, reply with E then hit Enter key on your keyboard.
The certificate should be setup successfully.
If you encounter this error: Problem binding to port 80: Could not bind to IPv4 or IPv6, stop Apache by running systemctl stop apache2 then run the above certbot command again.
Once the SSL certificate is successfuly setup, run systemctl restart apache2 to get Apache up and running again.

using certbot-auto for nginx

I have an nginx running.
Now I want my nginx to use SSL:
certbot-auto --nginx -d my.domain.com -n --agree-tos --email admin#mail.com
OUTPUT:
Performing the following challenges:
tls-sni-01 challenge for my.domain.com
Cleaning up challenges
Cannot find a VirtualHost matching domain my.domain.com.
my.domain.com is pointing to the IP of my server. It's its dns name.
What am I doing wrong? I did this already for apache and it was working fine. My nginx is running (and I'm not able to restart it manually after the certbot-auto but this wasn't necessary when I used certbot-auto --apache
In my case, I had to add the "server_name" line because it wasn't in my nginx config so it was giving me the error message "Cannot find a VirtualHost matching domain my.domain.com" when I ran:
certbot --nginx
Make sure this is in your config:
server {
server_name my.domain.com;
....
}
Your are probably missing some Server Blocks (virtual hosts) files in the sites-enabled folder. Check if your config files exist in /etc/nginx/sites-available and /etc/nginx/sites-enabled. If they are not present in the sites-enabled folder, create symbolic links for them:
$ sudo ln -s /etc/nginx/sites-available/my.domain.com /etc/nginx/sites-enabled/
Add your site, check for config errors and restart nginx:
$ sudo certbot --nginx -d my.domain.com
$ sudo nginx -t
$ sudo service nginx restart

Apache Virtual Hosts DocumentRoot path

[1] DocumentRoot /var/www/example.com/public_html
[2] DocumentRoot /var/www/example_com/public_html
Which one option is it more preferable? Dotted or underscored?
And once file /etc/apache2/sites-available/example.com.conf is changed, is it needed to re-run also $ sudo a2ensite example.com.conf ? Or change itself is enough? Thanks!
Each option is ok, it's as you want. For my part, on my dedicated server, I'll use example.com syntax.
When you run $ sudo a2ensite example.com.conf for the first time, a symlink is created from /etc/apache2/sites-available/example.com.conf to /etc/apache2/sites-enabled/example.com.conf.
You can change this file at two location, because it's the same file.
If you want to disable your vhost, you should run $ sudo a2dissite example.com.conf