SFTP Gateway Support

3.0

SFTP Gateway 2.001.00 Lets Encrypt

Note: This page applies to SFTP Gateway version 2.x. Visit Here for documentation on version 3.x.

Background

SFTP Gateway 2.001.00 comes with a web admin interface for managing SFTP users and settings. This website is hosted on a local web server (Nginx).

The website uses a self-signed SSL certificate. This protects your web traffic out of the box. However, you will encounter SSL warnings each time you visit the site.

If you don't want invalid SSL certificate warnings, you will need to obtain a valid SSL certificate.

Why you can't use ACM

AWS Certificate Manager (ACM) is a cloud native tool for obtaining free SSL certificates. It gives you a Domain Validation (DV) level certificate, which is enough to provide encryption, but makes no claims on the validity of your organization.

ACM can only be used with CloudFront and Application Load Balancers (ALB). This means that you cannot use ACM directly with an EC2 instance. Also, you can't use it with a Network Load Balancer (NLB), which is what SFTP Gateway uses.

Even if you were to add CloudFront or an ALB to your architecture, you would still need to encrypt its traffic to the EC2 instance. And so you would need to somehow export the private key used in your ACM certificate, and install that in Nginx. Unfortunately, it is impossible to export a private key from ACM.

You can however import a private key, certificate, and chain, into an ACM cert. But this doesn't actually give you a free SSL certificate. Rather, you are just wrapping an SSL certificate you obtained elsewhere inside an ACM certificate.

Using LetsEncrypt

The best free approach is to use LetsEncrypt, which provides free SSL certificates. These are Domain Validation (DV) level certs, much like ACM. But you have full access to the private key, so you can use it with Nginx, and even export it to ACM.

The main challenge with using LetsEncrypt is that it's not officially supported on Amazon Linux 2 (SFTP Gateway 2.001.00 is based on the Amazon Linux 2 image).

This article covers how to set up LetsEncrypt on Amazon Linux 2. It provides step-by-step instructions for the initial set up.

Preparation

(a) Before you begin, you will need to gather 3 pieces of information:

  • Domain: robtest.thorn.tech This domain has to be pointing to the IP address prior to running LetsEncrypt.
  • IP address: 54.210.100.47 This should be an Elastic IP, so it doesn't change each time you stop the instance.
  • Email: robert.chen@thorntech.com LetsEncrypt certs only last 90 days, so make sure your email address is valid to get the expiration warnings.

(b) Create a Host A record in Route 53, pointing robtest.thorn.tech to 54.210.100.47. Wait 10-15 minutes to give DNS a chance to propagate. This is required for the validation step.

(c) Temporarily open your EC2 Security Group's port 80 to the world (0.0.0.0/0). This is also required for the validation step. (Don't forget to remove this rule later!)

(d) Set the domain name on your Nginx conf file.

Edit /etc/nginx/conf.d/website.conf line 61, and replace the wildcard _ with your domain name.

server_name robtest.thorn.tech;

Installation (Single Instance)

The instructions in this section are based on the following article.

(a) Sudo to root

sudo su

(b) Point to Extra Packages for Enterprise Linux (EPEL)

curl -O http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum install epel-release-latest-7.noarch.rpm -y

(c) Install the Nginx flavor of Certbot (i.e. LetsEncrypt)

yum install certbot-nginx -y

(d) Run the LetsEncrypt wizard

certbot

(e) Supply your email address (for renewal notification purposes)

Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): robert.chen@thorntech.com

(f) Accept the terms

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

(g) You don't need to share your email

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N

(h) You should see your server_name listed below. Select 1.

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: robtest.thorn.tech
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1

(i) LetsEncrypt will try to validate your server. You should see the following output:

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for robtest.thorn.tech
Using default addresses 80 and [::]:80 ipv6only=on for authentication.
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/conf.d/website.conf

(j) Choose 1 so that LetsEncrypt doesn't mangle your nginx conf file.

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

(k) Check your nginx conf file for any changes. Note the location of the LetsEncrypt private key and certificate:

ssl_certificate /etc/letsencrypt/live/robtest.thorn.tech/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/robtest.thorn.tech/privkey.pem; # managed by Certbot

(L) Restart nginx

nginx -t && systemctl restart nginx

Multi instance considerations

If you are running SFTP Gateway in HA, there are some things you need to keep in mind.

The folder /etc/nginx/ is on EFS, but the generated SSL certificates are stored in /etc/letsencrypt/live/. You should move these to /etc/nginx/ssl/, and update the /etc/nginx/conf.d/website.conf file with this location.

Also, you will need to restart Nginx on each EC2 instance in order for the changes to take effect.

PreviousInstall SSL Certificate (GoDaddy)