{"componentChunkName":"component---src-templates-page-js","path":"/letsencrypt-apache","result":{"data":{"markdownRemark":{"frontmatter":{"title":"Building a simple HTTPS webpage using Let's Encrypt on Apache HTTPD ","date":"26 April 2017","path":"/letsencrypt-apache","author":null,"excerpt":"I have been hearing about [Let's Encrypt](https://letsencrypt.org/) for a while, and luckily enough I have the opportunity to get my hands on it (virtually, of course)...","tags":["web"],"coverImage":null},"id":"f13d6f5f-f2f3-5331-9cd7-dd20632af854","html":"

I have been hearing about Let's Encrypt for a while, and luckily enough I have the opportunity to get my hands on it (virtually, of course).

\n

In this post, I will talk about my experience setting up a simple demo website over HTTPS using Let's Encrypt on an Apache HTTP Server. The entire process takes less than <30 mins if you get the following right before you start:

\n\n

An import note before we start: The website is purely for demonstration purpose and not suitable for production use.

\n

Here are the steps to do it

\n

Create EC2 instance

\n

An AWS EC2 t2.micro instance is setup. And an elastic IPv4 address (34.202.12.128) is assigned and attached to the EC2 instance's network interface.

\n

Update Name Server

\n

A DNS A record is added to my Name Server for chriswang.tech and pointing to 34.202.12.128. In my case, Cloudflare's DNS is used.

\n

The configuration is shown below.

\n

\"dns\"

\n

The dig command is used to verify that the DNS record has taken effect in my local DNS resolver.

\n
$ dig demo-apache.chriswang.tech
\n
; <<>> DiG 9.8.3-P1 <<>> demo-apache.chriswang.tech\n;; global options: +cmd\n;; Got answer:\n;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24626\n;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 4\n\n;; QUESTION SECTION:\n;demo-apache.chriswang.tech.\tIN\tA\n\n;; ANSWER SECTION:\ndemo-apache.chriswang.tech. 300\tIN\tA\t34.202.12.128\n\n;; AUTHORITY SECTION:\nchriswang.tech.\t\t2811\tIN\tNS\tart.ns.cloudflare.com.\nchriswang.tech.\t\t2811\tIN\tNS\talice.ns.cloudflare.com.\n\n;; ADDITIONAL SECTION:\nart.ns.cloudflare.com.\t47841\tIN\tA\t173.245.59.102\nalice.ns.cloudflare.com. 43742\tIN\tA\t173.245.58.60\nart.ns.cloudflare.com.\t47841\tIN\tAAAA\t2400:cb00:2049:1::adf5:3b66\nalice.ns.cloudflare.com. 43742\tIN\tAAAA\t2400:cb00:2049:1::adf5:3a3c\n\n;; Query time: 72 msec\n;; SERVER: 192.35.82.50#53(192.35.82.50)\n;; WHEN: Wed Apr 26 18:32:27 2017\n;; MSG SIZE  rcvd: 203
\n

Test HTTP

\n

To verify the Apache HTTP service works, visit in the browserhttp://demo-apache.chriswang.tech.

\n

An Apache Default Page below is expected.

\n

\"default_apache\"

\n

Update index.html

\n

To update the default page, a custom index.html is created and symlinked to the default Apache directory at /var/www/html/ using the following command:

\n

$ sudo ln -s ~/demo-apache/index.html /var/www/html/index.html

\n

The following webpage should be shown after refreshing the same URL in browser.

\n

\"index_html\"

\n

Generate Private Key

\n

The RSA private key and certificate signing request (CSR) are generated using openssl using the following command:

\n

$ openssl req -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr

\n

The generated CSR will be used for the TLS public certificate generation in the next step.

\n

Configure Let's Encrypt/CertBot

\n

In order to use Let's Encrypt, the CertBot is installed to automate this process using the following commands:

\n
$sudo add-apt-repository ppa:certbot/certbot\n$sudo apt-get update\n$sudo apt-get install python-certbot-apache
\n

The TLS certificate generation and Apache HTTP Server are executed automatically by running the following command:

\n
$ certbot --apache
\n

If successful, an output similar to the following is expected:

\n
Saving debug log to /var/log/letsencrypt/letsencrypt.log\nNo names were found in your configuration files. Please enter in your domain\nname(s) (comma and/or space separated)  (Enter 'c' to cancel):demo-apache.chriswang.tech\nStarting new HTTPS connection (1): acme-v01.api.letsencrypt.org\nObtaining a new certificate\nPerforming the following challenges:\ntls-sni-01 challenge for demo-apache.chriswang.tech\nEnabled Apache socache_shmcb module\nEnabled Apache ssl module\nWaiting for verification...\nCleaning up challenges\nGenerating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem\nCreating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem\nCreated an SSL vhost at /etc/apache2/sites-available/000-default-le-ssl.conf\nEnabled Apache socache_shmcb module\nEnabled Apache ssl module\nDeploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf\nEnabling available site: /etc/apache2/sites-available/000-default-le-ssl.conf\n\nPlease choose whether HTTPS access is required or optional.\n-------------------------------------------------------------------------------\n1: Easy - Allow both HTTP and HTTPS access to these sites\n2: Secure - Make all requests redirect to secure HTTPS access\n-------------------------------------------------------------------------------\n\nSelect the appropriate number [1-2] then [enter] (press 'c' to cancel): 2\nEnabled Apache rewrite module\nRedirecting vhost in /etc/apache2/sites-available/000-default.conf to ssl vhost in /etc/apache2/sites-available/000-default-le-ssl.conf\n\n-------------------------------------------------------------------------------\nCongratulations! You have successfully enabled\nhttps://demo-apache.chriswang.tech\n\nYou should test your configuration at:\nhttps://www.ssllabs.com/ssltest/analyze.html?d=demo-apache.chriswang.tech\n-------------------------------------------------------------------------------\n\nIMPORTANT NOTES:\n - Congratulations! Your certificate and chain have been saved at\n   /etc/letsencrypt/live/demo-apache.chriswang.tech/fullchain.pem.\n   Your cert will expire on 2017-07-25. To obtain a new or tweaked\n   version of this certificate in the future, simply run certbot again\n   with the "certonly" option. To non-interactively renew *all* of\n   your certificates, run "certbot renew"\n - If you like Certbot, please consider supporting our work by:\n\n   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate\n   Donating to EFF:                    https://eff.org/donate-le
\n

Run Qualys SSL Server Test

\n

To verify that the the HTTPS/TLS service is configured correctly, the Qualys SSL Server Test is run.

\n

The test report is shown below with a big green A. It means the HTTPS/TLS is working as expected! 😀

\n

\"ssl_report\"

\n

The experience is great: straight-forward and FREE

\n

Kudos and thanks to the Internet Security Research Group (ISRG), Linux Foundation, Apache Foundation and many other non-profit and commercial organizations for making HTTPS/TLS accessible for everyone.

\n

We look forward to more projects like this!

\n

/Chris

\n

References

\n

Apache Web Server

\n\n

Let's Encrypt and Certbot

\n","excerpt":"I have been hearing about Let's Encrypt for a while, and luckily enough I have the opportunity to get my hands on it (virtually, of course…"}},"pageContext":{"type":"posts","next":{"frontmatter":{"path":"/self-managed-gh","title":"Building a Self-managed Alternative to GitHub Pages","tags":["web","jekyll","aws","travis-ci","cloudflare","nginx","letsencrypt"]},"fileAbsolutePath":"/opt/build/repo/src/posts/2017-06-16-building-github-pages-alternative.md"},"previous":{"frontmatter":{"path":"/cornell-tech","title":"Release Notes: My Graduation from Cornell Tech CS v3","tags":["cornell-tech","cornell","master","mba","cs","nyc"]},"fileAbsolutePath":"/opt/build/repo/src/posts/2017-06-15-graduation_from_cornell_tech_cs_v3.md"}}},"staticQueryHashes":["1425477374","3128451518"]}