e-Zest members share technology ideas to foster digital transformation.

SSL Encryption using Let’s Encrypt on AWS EC2 Amazon Linux

Written by Anagha Thorat | Feb 27, 2017 11:56:46 AM

What is Let’s Encrypt:

We need our websites to be secured and for securing our websites, we need to enable HTTPS by getting a SSL Certificate from certificate authority. Let’s Encrypt is a Certificate Authority which offers free SSL Certificates which is as secured as the present paid certificates.

Benefits:

  • Free: It is open-source and free of cost for life time.
  • Automatic: It can be set for auto renewal through cron jobs. Each certificate is valid for 90days.
  • Simple: It has a very simple script.
  • Secured: It is as secured as the present paid certificates.

Points to be covered:

  • Let’s Encrypt with Apache
  • Let’s Encrypt with Tomcat

Let’s Encrypt with Apache

Basic requirement:

To issue a certificate through Let’s Encrypt you should have control over the domain associated with server.

We need git installed on server.
Install git with following command:

yum install git

Installation

  • Install Let’s Encrypt Online:

Use the following command

curl https://get.acme.sh |sh
OR
wget -O - https://get.acme.sh |sh

  • Install Let’s Encrypt from GIT

Use the following command

git clone https://github.com/Neilpang/acme.sh.git
cd ./acme.sh
./acme.sh --install

Issue a Certificate for Apache/Tomacat

Single Domain

acme.sh --issue -d abc.com -w /home/root/abc.com

Multiple Domains in same cert

acme.sh --issue -d abc.com -d www.abc.com -d cp.abc.com –w /home/root/abc.com

Note:

  1. The parameter /home/root/abc.com is the web root folder. You should have write access to this folder.
  2. abc.comis the main domain. You must have at least one domain.
  3. Bind all the domains to the same web root directory : /home/root/abc.com
  4. Generated/issued certs will be placed in ~/.acme.sh/abc.com/

Install the issued Certificate on Apache

After issuing the certificate you must install the certificate or copy it to a particular path.
Please note: Do not use the certificates in ~/.acme.sh/folder. Best practice is to copy the certificates files and provide that path.

To install the certificate use the following command

acme.sh --installcert -d example.com \
--certpath /path/to/certfile/in/apache/cert.pem \
--keypath /path/to/keyfile/in/apache/key.pem \
--fullchainpath /path/to/fullchain/certfile/apache/fullchain.pem \
--reloadcmd "service apache2 force-reload"

Open ssl.conf file and add the path to the file

vim /etc/httpd/conf.d/ssl.conf
SSLCertificateFile path/to/certfile/in/apache/cert.cer
SSLCertificateKeyFile path/to/keyfile/in/apache/key.pem
SSLCertificateChainFile /path/to/fullchain/certfile/apache/fullchain.pem
SSLCACertificateFile path/to/certfile/in/apache/ca.cer

Reload apache server

servicehttpd reload

Let’s Encrypt with Tomcat

For running Tomcat7 to run on HTTPS we need to provide it with certificate and entire chain certificate. The connection is supposed to be private and we need a private, corresponding to the certificate to decrypt the client generated random key. This client generated random key is encrypted with the server’s public key (which is part of the certificate) by the client, so it can be safely transmitted to your server. We will do is to put the chain certificate and the private key all together inside one Java Key Store (JKS).

There are only two steps required to get our fullchain.pem and privkey.pem inside a JKS.
Enter the following command:

$ openssl pkcs12 -export -in fullchain.pem -inkeyprivkey.pem -out fullchain_and_key.p12 -name tomcat

You will be asked to enter a password after the above command. Please remember the password as it is because will be need it in the next step.

Now we have our keystore, we can use JAVA’s keytool to generate a JKS. Use the below command

$ keytool -importkeystore -deststorepassyourJKSpass -destkeypassyourKeyPass –destkeystoreKeyStore.jks -srckeystore fullchain_and_key.p12 -srcstoretype PKCS12 -srcstorepass yourPKCS12pass -alias tomcat

Configure Tomcat for HTTPS
Open the server.xml file

vim /etc/tomcat7/server.xml

Find the block starting with <Connector port="8443"

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" URIEncoding="UTF-8" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/path/to/KeyStore.jks" keystorePass="yourJKSpass" keyAlias="tomcat" keyPass="yourKeyPass"/>

Restart your tomcat

service tomcat7 restart

Check your site

You can check your site by hitting
https://yourdomain:443