HTTPS Setup
Setting up the secure "https" on web servers
Overview for Beginners
Many online articles discuss setting up HTTPS for Apache HTTPD on cloud virtual machines like AWS EC2 or GCP Compute Engine. However, beginners often find gaps in the explanation, particularly regarding acquiring a free SSL certificate from Let's Encrypt, the "Certificate Authority CA", and configuring it on Apache HTTPD. The following step-by-step instructions aim to bridge this knowledge gap.
Setup for Apache "httpd" web server
NOTE: the following should work for both AWS EC2 or GCP Compute Engine; (tested Jun, 2024)
Install Apache httpd - AWS EC2 - Amazon Linux 2023 AMI
By default, the Apache "httpd" web server enable only the unencrypted "http" after installation. Additional steps are needed to enable the "https". These steps include installing the Apache "mod_ssl" extension module and possibly additional steps.
The Apache "mod_ssl" extension module provides strong cryptography using the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, ensuring secure connections between the server and clients, safeguarding sensitive data transmitted over the network.
NOTE: to be confirmed via testing; the additional steps may not be needed as it is enabled automatically during installation of the "mod_ssl". For example, on the AWS EC2 with Amazon Linux 2023, the additional steps are not needed if the default SSL certificates are acceptable. (Tested: Jun 2024)
Install Apache "httpd" web server and the
mod_ssl
sudo yum update -y
sudo yum install -y httpd mod_ssl
sudo systemctl start httpd
sudo systemctl enable httpdCreate a very simple web page
sudo echo "<h1>Hello from Region us-west-2a</h1>" > /var/www/html/index.htmlCreate self-signed certificate
On the AWS EC2 with Amazon Linux 2023, the default SSL certificates are generated automatically during installation, and the "https" is also enabled.
To validate: open the browser and enter the following URL:
https://<public_ip_address_assigned_to_ec2_instace>/index.htmlThe auto-generated SSL certificates can be found at:
Configuration of the Apache httpd to enable "https" and to use the auto-generated self-signed certificates can be found in the
/etc/httpd/conf.d/ssl.confas follow:
[Alternative] If the SSL certificates were not generated OR you want to create your own self-signed certificates, then follow the instructions below:
[Alternative] Check that
opensslalready installed; it should have been installed withmod_ssl;otherwise install it;
[Alternative] Generate Private Key - this will be used to create the SSL self-signed certificate; the following command generates a 2048-bit RSA private key and saves it to a file named
server.key. You can change the filename if desired.
[Alternative] Generate Certificate Signing Request (CSR): using the private key generated above; the following command will prompt you to enter information such as: your organization details, common name (domain name), etc. It will then generate a CSR and save it to a file named
server.csr.
[Alternative] Finally, Generate Self-Signed Certificate: using the private key and CSR files; the command creates a self-signed certificate valid for 365 days and saves it to a file named
server.crt.
[Alternative] Copy the generated self-signed certificates to the commonly used folder for Apache httpd:
/etc/pki/tls/, as shown below:
[Alternative] Restart the Apache httpd server
Please note that while self-signed certificates provide encryption, they are not inherently trusted by web browsers and may trigger security warnings that need to be manually bypassed. For production environments, it is recommended to use SSL certificates from a trusted Certificate Authority (CA) to avoid these warnings and ensure a seamless user experience.
The certificates (fullchain.pem) and the key (privkey.pem) from the CA will replace the (localhost.crt & localhost.key) or the (server.crt & server.key) discussed above.
Create SSL certificates from FREE trusted Certificate Authority (CA)
"Let's Encrypt" is the trusted Certificate Authority (CA) that issues FREE SSL certificate, see website. The step-by-step instructions using "certbot" shell client can be found here that can be customized based on the web server and OS type. The following instructions are for AWS Linux 2023 and Apache httpd web server; and based on python certbot module.
NOTE: the following instructions are for AWS EC2 using Amazon Linux 2023 AMI.
Installing Certbot through pip is only supported on a best effort basis and when using a virtual environment. Instructions for installing Certbot through pip can be found HERE; and by selecting your server software and then choosing “pip” in the “System” dropdown menu. (Or see custom Instructions: https://certbot.eff.org/instructions?ws=apache&os=pip). Source: https://eff-certbot.readthedocs.io/en/stable/install.html#alternative-2-pip
Install python3 and other modules
Setup a python virtual environment
Install certbot & Prepare the Certbot command
Get certificate only but don't install.
To find the generated certificates, see the following locations. Source: https://eff-certbot.readthedocs.io/en/stable/using.html#where-are-my-certificates
Config Apache httpd; update
/etc/httpd/conf.d/ssl.confwith the following:
Restart Apache: after making changes to the Apache configuration, restart the Apache HTTP Server to activate the changes:
Finally, Set up automatic renewal using cron job:
Monthly Upgrade certbot:
References
Let's Encrypt - https://letsencrypt.org/getting-started/
Certbot custom instructions - https://certbot.eff.org/
Certbot User Manual - https://eff-certbot.readthedocs.io/en/stable/intro.html
How to install certbot via snap on Amazon Linux 2023 - https://unix.stackexchange.com/questions/744633/how-to-install-certbot-via-snap-on-amazon-linux-2023
Last updated