What is Lets Encrypt?
Let’s Encrypt is a free, automated, and open Certificate Authority.
To enable HTTPS on your website, you need to get a certificate (a type of file) from a Certificate Authority (CA). Let’s Encrypt is a CA. In order to get a certificate for your website’s domain from Let’s Encrypt, you have to demonstrate control over the domain. With Let’s Encrypt, you do this using software that uses the
ACME protocol, which typically runs on your web host.
Setup Lets Encrypt for your PHP Beanstalk Application.
Prepare your zipped project.
 |
My project folders and files |
 |
My zipped project. |
Create .ebextensions Folder
Before make a zipped project make sure you already have
.ebextensions/*.config. Create
https.config file under
.ebextensions. you can use your own file name for your *.config files.
Resources:
sslSecurityGroupIngress:
Type: AWS::EC2::SecurityGroupIngress
Properties:
GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
IpProtocol: tcp
ToPort: 443
FromPort: 443
CidrIp: 0.0.0.0/0
files:
/etc/httpd/conf.d/default.conf:
mode: "000644"
owner: root
group: root
content: |
<VirtualHost *:80>
RewriteEngine On
DocumentRoot /var/www/html/ovideo
ServerName teahrm.id
</VirtualHost>
/etc/httpd/conf.d/ssl.pre:
mode: "000644"
owner: root
group: root
content: |
LoadModule ssl_module modules/mod_ssl.so
Listen 443
<VirtualHost *:443>
<Directory /opt/python/current/app/build/static>
Order deny,allow
Allow from all
</Directory>
SSLEngine on
SSLCertificateFile "/etc/letsencrypt/live/teahrm.id/fullchain.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/teahrm.id/privkey.pem"
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLSessionTickets Off
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
ProxyPass / http://localhost:80/ retry=0
ProxyPassReverse / http://localhost:80/
ProxyPreserveHost on
RequestHeader set X-Forwarded-Proto "https" early
# If you have pages that may take awhile to
# respond, add a ProxyTimeout:
# ProxyTimeout seconds
</VirtualHost>
/tmp/renew_cert_cron:
mode: "000777"
owner: root
group: root
content: |
# renew Lets encrypt cert with certbot command
0 1,13 * * * /tmp/certbot-auto renew
packages:
yum:
epel-release: []
mod24_ssl : []
# Steps here
# 1. Install certbot
# 2. Get cert (stop apache before grabbing)
# 3. Link certs where Apache can grab
# 4. Get the Apache config in place
# 5. Move certbot-auto into tmp folder
container_commands:
10_installcertbot:
command: "wget https://dl.eff.org/certbot-auto;chmod a+x certbot-auto"
20_getcert:
command: "sudo ./certbot-auto certonly --debug --non-interactive --email mhyusufibrahim@gmail.com --agree-tos --debug --apache --domains teahrm.id --keep-until-expiring"
30_link:
command: "sudo ln -sf /etc/letsencrypt/live/teahrm.id /etc/letsencrypt/live/ebcert"
40_config:
command: "sudo mv /etc/httpd/conf.d/ssl.pre /etc/httpd/conf.d/ssl.conf"
50_mv_certbot_to_temp_for_cron_renew:
command: "sudo mv ./certbot-auto /tmp"
60_create_cert_crontab:
command: "sudo crontab /tmp/renew_cert_cron"
70_delete_cronjob_file:
command: "sudo rm /tmp/renew_cert_cron"
Upload to your Beanstalk
The Final Result
 |
HTTPS installed. |
Comments
Post a Comment