Let's Encrypt
Let's Encrypt is a popular tool for getting free SSL certificates.
Here's a userful article on how to set it up on Amazon Linux: https://medium.com/@gnowland/deploying-lets-encrypt-on-an-amazon-linux-ami- ec2-instance-f8e2e8f4fc1f
This is a sort of checklist to follow along for Amazon Linux (of which WP SureStack is based on).
Here are a few needed pieces of information, which I used for the sake of example:
Domain: robtest.thorn.tech
IP address: 54.210.100.47
Email: robert.chen@thorntech.com
Create a Host A record in Route 53, pointing
robtest.thorn.techto54.210.100.47. Wait 10-15 minutes to give DNS a chance to propagate. Otherwise, you get an error on a later validation step.Sudo to root
sudo suInstall dependencies, but these may already be installed
yum install python27-devel gitDownload letsencrypt to
/opt/letsencryptgit clone https://github.com/letsencrypt/letsencrypt /opt/letsencryptRun the letsencrypt wizard. The article mentioned above says it's important to include the debug flag.
/opt/letsencrypt/letsencrypt-auto --debugChoose 2, for Nginx. Let's encrypt will do things to your nginx conf.
How would you like to authenticate and install certificates? ------------------------------------------------------------------------------- 1: Apache Web Server plugin - Beta (apache) 2: Nginx Web Server plugin - Alpha (nginx) ------------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2Supply your email address (for renewal notification purposes)
Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): robert.chen@thorntech.comAccept the terms
------------------------------------------------------------------------------- Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v01.api.letsencrypt.org/directory ------------------------------------------------------------------------------- (A)gree/(C)ancel: AYou don't need to share your email
------------------------------------------------------------------------------- Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non- profit organization that develops Certbot? We'd like to send you email about EFF and our work to encrypt the web, protect its users and defend digital rights. ------------------------------------------------------------------------------- (Y)es/(N)o: NMake a note of which nginx conf file that letsencrypt is making changes to. In my case, I was using a test box (didn't do this on WP SureStack, so it's using virtual.conf)
Deploying Certificate to VirtualHost /etc/nginx/conf.d/virtual.conf
- Choose 2 to allow letsencrypt to generate SSL redirect syntax for you.
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. ------------------------------------------------------------------------------- 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. ------------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
- Check your nginx conf file for any changes. Letsencrypt might add
additional server blocks. Feel free to clean up and consolidate. But note that
they now point your ssl certificate and key locations to the letsencrypt
certificates:
ssl_certificate /etc/letsencrypt/live/robtest.thorn.tech/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/robtest.thorn.tech/privkey.pem; # managed by Certbot
- Restart nginx
nginx -t service nginx restart