SFTP Gateway 2.0 Lets Encrypt
Background
SFTP Gateway 2.0 comes with a web admin interface for managing SFTP users and settings. This website is hosted on a local web server (Nginx).
The website uses a self-signed SSL certificate. This protects your web traffic out of the box. However, you will encounter SSL warnings each time you visit the site.
If you don't want invalid SSL certificate warnings, you will need to obtain a valid SSL certificate.
Why you can't use ACM
AWS Certificate Manager (ACM) is a cloud native tool for obtaining free SSL certificates. It gives you a Domain Validation (DV) level certificate, which is enough to provide encryption, but makes no claims on the validity of your organization.
ACM can only be used with CloudFront and Application Load Balancers (ALB). This means that you cannot use ACM directly with an EC2 instance. Also, you can't use it with a Network Load Balancer (NLB), which is what SFTP Gateway uses.
Even if you were to add CloudFront or an ALB to your architecture, you would still need to encrypt its traffic to the EC2 instance. And so you would need to somehow export the private key used in your ACM certificate, and install that in Nginx. Unfortunately, it is impossible to export a private key from ACM.
You can however import a private key, certificate, and chain, into an ACM cert. But this doesn't actually give you a free SSL certificate. Rather, you are just wrapping an SSL certificate you obtained elsewhere inside an ACM certificate.
Using LetsEncrypt
The best free approach is to use LetsEncrypt, which provides free SSL certificates. These are Domain Validation (DV) level certs, much like ACM. But you have full access to the private key, so you can use it with Nginx, and even export it to ACM.
The main challenge with using LetsEncrypt is that it's not officially supported on Amazon Linux (SFTP Gateway is based on the Amazon Linux image). So you will run into difficulties for the initial installation, and for each time you renew the SSL cert.
This article covers how to set up LetsEncrypt on Amazon Linux. It provides step-by-step instructions for the initial set up. It also provides a workaround for a major issue you will encounter each time you renew the SSL cert.
Installation (Single Instance)
The instructions in this section are based on the following article, but have been adapted specifically for the Nginx configuration used in SFTP Gateway.
Before you begin, you will need 3 pieces of information:
- Domain:
robtest.thorn.tech
This domain has to be pointing to the IP address prior to running LetsEncrypt. - IP address:
54.210.100.47
This should be an Elastic IP, so it doesn't change each time you stop the instance. - Email:
robert.chen@thorntech.com
LetsEncrypt certs only last 90 days, so make sure your email address is valid to get the expiration warnings.
(a) Create a Host A record in Route 53, pointing robtest.thorn.tech
to
54.210.100.47
. Wait 10-15 minutes to give DNS a chance to propagate.
Otherwise, you get an error on a later validation step.
(b) Sudo to root
sudo su
(c) Install dependencies, but these may already be installed
yum install -y python27-devel git
(d) Download LetsEncrypt to /opt/letsencrypt
git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
(e) Run the LetsEncrypt wizard. It's important to include the debug flag.
/opt/letsencrypt/letsencrypt-auto --debug
(f) Choose 2
, for Nginx
. LetsEncrypt will modify your nginx conf file.
How would you like to authenticate and install certificates?
-------------------------------------------------------------------------------
1: Apache Web Server plugin - Beta (apache)
2: Nginx Web Server plugin - Alpha (nginx)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
(g) Supply your email address (for renewal notification purposes)
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): robert.chen@thorntech.com
(h) Accept the terms
-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A
(i) You don't need to share your email
-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: N
(j) Make a note of which nginx conf file that LetsEncrypt is making changes to.
Deploying Certificate to VirtualHost /etc/nginx/sites-available/website.conf
(k) Choose 1
so that LetsEncrypt doesn't mangle your nginx conf file.
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
(L) Check your nginx conf file for any changes. Note the location of the LetsEncrypt private key and certificate:
ssl_certificate /etc/letsencrypt/live/robtest.thorn.tech/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/robtest.thorn.tech/privkey.pem; # managed by Certbot
(m) Restart nginx
nginx -t
service nginx restart
Certificate Renewal
To renew the SSL certificate, you run the following command:
/opt/letsencrypt/letsencrypt-auto --no-bootstrap renew
But you will invariably run into this error message:
ImportError: No module named cryptography
LetsEncrypt doesn't support Amazon Linux, and any software update attempt will give you this error. LetsEncrypt only lets you renew if you're fully up to date, and there are frequent updates. And since you can't renew until you're within 30 days of expiration (i.e. 60 days out), there's a high chance of there being a software update that prevents you from renewing the SSL cert.
The workaround is to run the following command:
unset PYTHON_INSTALL_LAYOUT
/opt/eff.org/certbot/venv/bin/pip install --upgrade certbot
This lets you update certbot without running into the cryptography error. After this, you can renew the certificate.
Multi instance considerations
If you are running SFTP Gateway in HA, there are some things you need to keep in mind.
- To troubleshoot DNS validation, you can try pointing the DNS record directly to the EC2 instance where you're configuring LetsEncrypt.
- By default, LetsEncrypt places its files in
/etc/letsencrypt/live/
. The/etc/nginx/
folder is stored on EFS. So consider copying the certificate and key to/etc/nginx/ssl/
. - The file
/etc/nginx/sites-available/website.conf
is already on EFS. But make sure its directives are pointing to the SSL resources in the updated/etc/nginx/ssl/
location. - You will need to restart Nginx on each EC2 instance in order for the changes to take effect. Although a bit more advanced, you can use SSM to send bash commands to multiple EC2 instances.