LetsEncrypt SSL Certificate
Overview
StorageLink comes with a Web interface for connecting to Cloud Storage and for managing Users & settings. This website is hosted on a local web server (Nginx).
The website uses a self-signed SSL certificate. This protects your web traffic out of the box. However, you will encounter SSL warnings each time you visit the site.
If you don't want invalid SSL certificate warnings, you will need to obtain a valid SSL certificate.
Using LetsEncrypt
The best free approach is to use LetsEncrypt, which provides free SSL certificates. These are Domain Validation (DV) level certs.
This article covers how to set up LetsEncrypt on StorageLink & provides step-by-step instructions for the initial configuration.
Preparation
- AWS
- Azure
(1) In the AWS console, verify that you have an Elastic (static) IP. Our CloudFormation templates provision one automatically.
(2) Create a DNS entry (Host A record), which points your domain name to the public IP address of your server. Allow some time for DNS to propagate.
Note: For HA, you don't need static IPs. Instead, create a CNAME that points to the load balancer's DNS endpoint.
(3) Create an ingress rule in the EC2 Security Group to allow TCP port 80 traffic from 0.0.0.0/0.
This is required for the validation step.
(4) SSH into your VM, and elevate your privileges to root:
sudo su
(5) Set the domain name on your Nginx conf file.
Edit /etc/nginx/conf.d/website.conf line 80, and replace the wildcard _ with your domain name.
For example:
server_name robtest.thorn.tech;
(1) In the Azure Portal, change the Public IP of your VM from Dynamic to Static.
(2) Create a DNS entry (Host A record), which points your domain name to the public IP address of your VM. Allow some time for DNS to propagate.
Note: For HA, you don't need static IPs. Instead, create a CNAME that points to the load balancer's DNS endpoint.
(3) In the Azure Portal, open your Network Security Group's (NSG) port 80 to Any source.
This is required for the validation step.
(4) SSH into your VM, and elevate your privileges to root:
sudo su
(5) Set the domain name on your Nginx conf file.
Edit /etc/nginx/sites-available/website.conf line 80, and replace the wildcard _ with your domain name.
For example:
server_name robtest.thorn.tech;
(1) In the Google Cloud console, create a static IP address for your VM.
(2) Create a DNS entry (Host A record), which points your domain name to the public IP address of your VM. Allow some time for DNS to propagate.
Note: For HA, you don't need static IPs. Instead, create a CNAME that points to the load balancer's DNS endpoint.
(3) In the Google Cloud console, change the VM's Firewall setting to Allow HTTP traffic.
This is required for the validation step. You may also need to open port 80 manually on the
Firewall of the VM if Allow HTTP traffic doesn't work.
(4) SSH into your VM, and elevate your privileges to root:
sudo su
(5) Set the domain name on your Nginx conf file.
Edit /etc/nginx/sites-available/website.conf line 80, and replace the wildcard _ with your domain name.
For example:
server_name robtest.thorn.tech;
(6) Restart Nginx to apply this change.
nginx -t && service nginx restart
Certbot installation
On StorageLink, LetsEncrypt is already installed on the server. To verify, run the following command:
certbot --version
Run the certbot wizard
After you have run the above commands to install LetsEncrypt, you can generate the SSL certificate.
(1) Run this command:
certbot
You will be taken through an interactive wizard.
(2) Enter a valid email address:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): robert.chen@thorntech.com
(3) Agree to the Terms of Service:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
(4) You don't need to share your email.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
- AWS
- Azure
(5) Select your domain. If it doesn't show up on the list,
check your /etc/nginx/conf.d/website.conf file for the server_name directive.
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: robtest.thorn.tech
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
(6) LetsEncrypt will try to validate your server.
Requesting a certificate for robtest.thorn.tech
Performing the following challenges:
http-01 challenge for robtest.thorn.tech
Using default addresses 80 and [::]:80 ipv6only=on for authentication.
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/conf.d/website.conf
No matching insecure server blocks listening on port 80 found.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://robtest.thorn.tech
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Validation and Cleanup
Verify that it works by navigating to your domain via your web browser using HTTPS.
If all is well, you should see a valid SSL certificate.
On your EC2 Security Group, don't forget to remove the ingress rule for TCP 80 that allows traffic from 0.0.0.0/0.
(5) Select your domain. If it doesn't show up on the list,
check your /etc/nginx/sites-enabled/website.conf file for the server_name directive.
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: robtest.thorn.tech
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
(6) LetsEncrypt will try to validate your server.
Requesting a certificate for robtest.thorn.tech
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/robtest.thorn.tech/fullchain.pem
Key is saved at: /etc/letsencrypt/live/robtest.thorn.tech/privkey.pem
This certificate expires on 2023-12-07.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
Deploying certificate
Successfully deployed certificate for robtest.thorn.tech to /etc/nginx/sites-enabled/website.conf
Congratulations! You have successfully enabled HTTPS on https://robtest.thorn.tech
Validation and Cleanup
Verify that it works by navigating to your domain via your web browser using HTTPS.
If all is well, you should see a valid SSL certificate.
On your NSG, don't forget to remove the port 80 rule that allowed traffic from Any source.
(5) Select your domain. If it doesn't show up on the list,
check your /etc/nginx/sites-enabled/website.conf file for the server_name directive.
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: robtest.thorn.tech
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
(6) LetsEncrypt will try to validate your server.
Requesting a certificate for robtest.thorn.tech
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/robtest.thorn.tech/fullchain.pem
Key is saved at: /etc/letsencrypt/live/robtest.thorn.tech/privkey.pem
This certificate expires on 2023-12-07.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
Deploying certificate
Successfully deployed certificate for robtest.thorn.tech to /etc/nginx/sites-enabled/website.conf
Congratulations! You have successfully enabled HTTPS on https://robtest.thorn.tech
Validation and Cleanup
Verify that it works by navigating to your domain via your web browser using HTTPS.
If all is well, you should see a valid SSL certificate.
On your VM Firewall, don't forget to remove the Allow HTTP traffic rule.
Automatic renewal
The LetsEncrypt SSL certificate only lasts 90 days, so it requires periodic renewal.
To renew the SSL cert, you can run the command:
certbot renew
This will ask you a series of questions in order to renew your existing SSL certificates.
You will not be eligible for renewing the SSL cert until you are within 30 days of expiration. This is to prevent LetsEncrypt from being inundated with daily renewal scripts.
To automate the LetsEncrypt renewal, you can create a cron job:
crontab -e
And add this line of text:
0 4 2 * * /usr/bin/certbot renew --quiet >/dev/null 2>&1
This runs the certbot renew command non-interactively once a month.