Generate And Install A Let’s Encrypt SSL Certificate For A Bitnami Application
Introduction
Let’s Encrypt is a free Certificate Authority (CA) that issues SSL certificates. You can use these SSL certificates to secure traffic to and from your Bitnami application host.
This guide walks you through the process of generating a Let’s Encrypt SSL certificate for your domain and installing and configuring it to work with your Bitnami application stack.
Assumptions And Prerequisites
This guide assumes that:
- You have deployed a Bitnami application and the application is available at a public IP address.
- You have the necessary credentials to log in to the Bitnami application instance.
- You own a domain name.
- You have configured the domain name’s DNS record to point to the public IP address of your Bitnami application instance.
Step 1: Install The Lego Client
The Lego client simplifies the process of Let’s Encrypt certificate generate. To use it, follow these steps:
- Log in to the server console as the bitnami user.
- Run the following commands to install the Lego client. Note that you will need to replace the X.Y.Z placeholder with the actual version number of the downloaded archive:
cd /tmp curl -Ls https://api.github.com/repos/xenolf/lego/releases/latest | grep browser_download_url | grep linux_amd64 | cut -d '"' -f 4 | wget -i - tar xf lego_vX.Y.Z_linux_amd64.tar.xz sudo mv lego /usr/local/bin/lego
These steps will download, extract and copy the Lego client to a directory in your path. .
Step 2: Generate A Let’s Encrypt Certificate For Your Domain
NOTE: Before proceeding with this step, ensure that your domain name points to the public IP address of the Bitnami application host.
The next step is to generate a Let’s Encrypt certificate for your domain.
- Turn off all Bitnami services:
sudo /opt/bitnami/ctlscript.sh stop - Request a new certificate for your domain as below. Remember to replace the DOMAIN placeholder with your actual domain name, and the EMAIL-ADDRESS placeholder with your email address.
sudo lego --tls --email="EMAIL-ADDRESS" --domains="DOMAIN" --domains="www.DOMAIN" --path="/etc/lego" --accept-tos runNOTE: You can use more than one domain (for example, DOMAIN and www.DOMAIN) by specifying the –domains option as many times as the number of domains you want to specify. When supplying multiple domains, Lego creates a SAN (Subject Alternate Names) certificate which results in only one certificate valid for all domains you entered. The first domain in your list will be added as the “CommonName” of the certificate and the rest, will be added as “DNSNames” to the SAN extension within the certificate.
- For wildcard certificates, additional DNS setup must be created. Run the following command to obtain the required DNS values:
sudo lego --dns manual --email="EMAIL-ADDRESS" --domains="*.DOMAIN" --path="/etc/lego" --a run
NOTE: Result will display the TXT hostname and VALUE to be setup in your DNS. Ex. hostname=”_acme-challenge” txt_string=”-k3PQXqcjAcYY6vx1sjmYKnC4S3K7TVko-juLRf9SXc”
A set of certificates will now be generated in the /etc/lego/certificates directory. This set includes the server certificate file DOMAIN.crt and the server certificate key file DOMAIN.key.
An output message will provide some information, including the expiry date of the certificate. Note this expiry date carefully as you will need to renew your certificate before that date in order for it to remain valid.
An example certificate is shown below:
Step 3: Configure The Web Server To Use The Let’s Encrypt Certificate
Next, tell the Web server about the new certificate, as follows:
- Link the new SSL certificate and certificate key file to the correct locations, depending on which Web server you’re using. Update the file permissions to make them readable by the root user only. Remember to replace the DOMAIN placeholder with your actual domain name.For Apache:
sudo mv /opt/bitnami/apache2/conf/server.crt /opt/bitnami/apache2/conf/server.crt.old sudo mv /opt/bitnami/apache2/conf/server.key /opt/bitnami/apache2/conf/server.key.old sudo mv /opt/bitnami/apache2/conf/server.csr /opt/bitnami/apache2/conf/server.csr.old sudo ln -s /etc/lego/certificates/DOMAIN.key /opt/bitnami/apache2/conf/server.key sudo ln -s /etc/lego/certificates/DOMAIN.crt /opt/bitnami/apache2/conf/server.crt sudo chown root:root /opt/bitnami/apache2/conf/server* sudo chmod 600 /opt/bitnami/apache2/conf/server*For nginx:
sudo mv /opt/bitnami/nginx/conf/server.crt /opt/bitnami/nginx/conf/server.crt.old sudo mv /opt/bitnami/nginx/conf/server.key /opt/bitnami/nginx/conf/server.key.old sudo mv /opt/bitnami/nginx/conf/server.csr /opt/bitnami/nginx/conf/server.csr.old sudo ln -s /etc/lego/certificates/DOMAIN.key /opt/bitnami/nginx/conf/server.key sudo ln -s /etc/lego/certificates/DOMAIN.crt /opt/bitnami/nginx/conf/server.crt sudo chown root:root /opt/bitnami/nginx/conf/server* sudo chmod 600 /opt/bitnami/nginx/conf/server*TIP: To find out if your Bitnami stack uses Apache or nginx, check the output of the command sudo /opt/bitnami/ctlscript.sh status. - Restart all Bitnami services:
sudo /opt/bitnami/ctlscript.sh start
Step 4: Test The Configuration
After reconfirming that your domain name points to the public IP address of the Bitnami application instance, you can test it by browsing to https://DOMAIN (replace the DOMAIN placeholder with the correct domain name).
This should display the secure welcome page of the Bitnami application. Clicking the padlock icon in the browser address bar should display the details of the domain and SSL certificate.
Step 5: Renew The Let’s Encrypt Certificate
Let’s Encrypt certificates are only valid for 90 days. To renew the certificate before it expires, run the following commands from the server console as the bitnami user. Remember to replace the DOMAIN placeholder with your actual domain name, and the EMAIL-ADDRESS placeholder with your email address.
sudo /opt/bitnami/ctlscript.sh stop
sudo lego --tls --email="EMAIL-ADDRESS" --domains="DOMAIN" --path="/etc/lego" renew
sudo /opt/bitnami/ctlscript.sh start
To automatically renew your certificates before they expire, write a script to perform the above tasks and schedule a cron job to run the script periodically. To do this:
-
- Create a script at /etc/lego/renew-certificate.sh with the following content. Remember to replace the DOMAIN placeholder with your actual domain name, and the EMAIL-ADDRESS placeholder with your email address.
#!/bin/bash sudo /opt/bitnami/ctlscript.sh stop apache sudo /usr/local/bin/lego --email="EMAIL-ADDRESS" --domains="DOMAIN" --path="/etc/lego" renew sudo /opt/bitnami/ctlscript.sh start apache - Make the script executable:
chmod +x /etc/lego/renew-certificate.sh - Execute the following command to open the crontab editor:
sudo crontab -e - Add the following lines to the crontab file and save it:
0 0 1 * * /etc/lego/renew-certificate.sh 2> /dev/nullMore information at https://docs.bitnami.com/aws/how-to/generate-install-lets-encrypt-ssl/
- Create a script at /etc/lego/renew-certificate.sh with the following content. Remember to replace the DOMAIN placeholder with your actual domain name, and the EMAIL-ADDRESS placeholder with your email address.
Alternative Approach
Bitnami includes a small tool that takes care of generating a valid certificate using Let’s Encrypt and configuring the web server to use it. That tool uses Lego to run the Let’s Encrypt certificate generation commands. You can find the script inside the /opt/bitnami/letsencrypt/ directory.
Execute the following command to auto-configure a Let’s Encrypt certificate in your stack for a domain, both with and without the www prefix. Replace the YOURMAIL and YOURDOMAIN placeholders with your current email address and with the domain name.
sudo /opt/bitnami/letsencrypt/scripts/generate-certificate.sh -m YOURMAIL -d YOURDOMAIN -d www.YOURDOMAIN
NOTE: You can use more than one domain by specifying the -d option as many times as domains you want to specify. When supplying multiple domains, Lego creates a SAN (Subject Alternate Names) certificate which results in only one certificate valid for all domains you entered. The first domain in your list will be added as the “CommonName” of the certificate and the rest, will be added as “DNSNames” to the SAN extension within the certificate.
To add one or more domains to an existing certificate, delete the existing certificates, restore the Bitnami configuration and execute the command again to generate a new certificate, remembering to include the new domain(s) with additional -d options in the command line. The following commands illustrate the process. Replace the YOURMAIL, YOURDOMAIN and YOUROTHERDOMAIN placeholders with your current email address, the current domain name and the additional domain name to be added.