-
Notifications
You must be signed in to change notification settings - Fork 0
Security (HTTPS)
SSL certificate obtained through Let's Encrypt. Let's Encrypt is a cert authority who provides free HTTPS certificates. Certbot is Let's Encrypt's Client that makes managing certs easier.
Assumes NGINX + Ubuntu 14.04
Based on medium.freecodecamp.org
-
Open up ports 80 (HTTP) and 443 (HTTPS) in your AWS instance Security Group
-
Point domain at EC2 public DNS of Instance
-
Run the following:
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
cd /home/ubtuntu
- Run the following replacing
www.hoonahstewards.netif needed and as many times as needed for additional certs:
./certbot-auto certonly --standalone -d www.hoonahstewards.net
- Change your NGINX configuration by adding
server {
listen 443 ssl;
server_name www.hoonahstewards.net;
ssl_certificate /etc/letsencrypt/live/www.hoonahstewards.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.hoonahstewards.net/privkey.pem;
add_header Strict-Transport-Security “max-age=31536000”;
}
- Restart NGINX
sudo service nginx reload
- Set up CRON job to renew cert, because certs obtained through let's encrypt expire every 3 months
If cert won't renew see https://github.com/certbot/certbot/issues/5405#issuecomment-356498627
Assumes NGINX + Ubuntu 14.04 on AWS
The cert uses the 'standalone' installation plugin. Because of this the ports :80 and :443 must be available for the renew to work. When the AWS instance for Hoonah is running nginx is listening on ports :80 and :443. One option to stop nginx from listening during the renew process is:
-
sshinto Hoonah AWS vim /etc/nginx/sites-enabled/hoonah- comment out the lines for listening on ports
:80and:443 - write and quit
cd ~/-
./certbot-auto renew --dry-runif the dry run is without error then./certbot-auto renew vim /etc/nginx/sites-enabled/hoonah- uncomment the listening lines for ports
:80and:443 - restart nginx server
HTTPS cert should be updated to auto-renew and use 'webroot' plugin instead of 'standalone'