Dr. Sven Seiler|Theodor-Blank-Allee 22, 44309 Dortmund

Let’s encrypt your server / (Bitnami Product Stack) – Updated!

/, Internet and Web Engineering/Let’s encrypt your server / (Bitnami Product Stack) – Updated!

Let’s encrypt your server / (Bitnami Product Stack) – Updated!

I changed this tutorial on 2016-01-26 as I recognized, I missed to mention one of the config files, where you have to add the certificat files, too. The tutorial works with the final version of Let’s encrypt, even when written in Beta phase.
As I just wrote in a blog post before, Let’s encrypt just launched the beta test. In the beta phase your whitelisted domains will gain a valid certificate for 90 days, but this duration will be increased soon. So it is time to set the certificate up and make the web more secure.

As the „automatic“ script offered by Let’s encrypt isn’t compatible with the Bitnami WordPress Amazon Machine Image (AMI), which I am currently utilizing to host this website, here are the necessary steps to get your certificated installed and working on a Ubuntu 14.04 Bitnami instance on Amazon AWS:

  1. Get the necessary scripts from github: 
    git clone https://github.com/letsencrypt/letsencrypt
    1. If you haven´t installed git, just download the current version of the ACME script and extract it on your server: 
      wget https://github.com/letsencrypt/letsencrypt/archive/master.zip
unzip master.zip
  2. Change your active directory to the newly created: 
    cd letsencrypt
  3. First we will stop the Bitnami / WordPress stack: 
    sudo /opt/bitnami/ctlscript.sh stop

    This step should work with all Bitnami instances.

  4. Start the ACME client with the production URL as an option from the command line. 
    sudo ./letsencrypt-auto --agree-dev-preview --server \
https://acme-v01.api.letsencrypt.org/directory auth

    When you call the script, there might be some updates that will be installed during bootstrapping. The script is written in Python and you might need root rights to install all necessary dependencies.

    You can only get a certificate when your domains are whitelisted at Let´s encrpyt during the beta phase.

  5. Then you need to enter your mail address. I took the same one I registered with to the beta test.
Enter your mail address

Enter your mail address

  • Now enter the domain names you would like to get a certificate for. Please keep in mind, that only those domain names are valid, that are already registered and white listed at Let’s Encrypt
    • Add your domain names

    Add your domain names

  • If you get the following information displayed, you need to stop the https services first.
    • If you get this message, you need to stop your server first.

    Stop the services first!

  • Finally, you need to agree to the Terms of Services to be enabled to use the free SSL certificated from Let’s Encrypt.
    • Accept the Terms of Service

    Accept the Terms of Service

  • After finishing the steps above, you will get feedback on the console where you can find your certificates: 
    IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /full/path/seiler.it/fullchain.pem. Your cert will
   expire on 2016-01-30. To obtain a new version of the certificate in
   the future, simply run Let's Encrypt again.

    In this directory you can find the following files:
    cert.pem,  chain.pem,  fullchain.pem and privkey.pem
    You should get a copy of the certificates to a local folder on your computer.

  • Now we need to add these certificates to the Bitnami AMI.  Just edit your httpd confic file and double check, that you added all certificates the right way: 
    sudo nano /path/to/apps/<your_application>/conf/httpd-vhosts.conf and /path/to/apps/apache2/conf/bitnami/bitnami.conf

    In my case that would be: /path/to/bitnami/apps/wordpress/conf/httpd-vhosts.conf and  /path/to/bitnami/apache2/conf/bitnami/bitnami.conf
    This step should work on all Bitnami instances relying on Apache.
    In the httpd-vhosts.conf I changed the <VirtualHost> settings of the three SSLCertificateFile* parameters to point to the correct location of the newly signed certificates. You do not need to care about the file types of the certificates (.pem). Those will just work as they only contain plain text. The overall section will look like the following lines:

    <VirtualHost *:443>
    ServerName seiler.it
    ServerAlias www.seiler.it
    DocumentRoot "/path/to/htdocs"
    SSLEngine on
    SSLCertificateFile "/path/to/cert.pem"
    SSLCertificateKeyFile "/path/to/privkey.pem"
    SSLCertificateChainFile "/path/to/fullchain.pem"
    Include "/path/to/conf/httpd-app.conf"
</VirtualHost>
  • In the bitnami.conf I changed changed the same lines 
    <VirtualHost _default_:443>
  DocumentRoot "/opt/bitnami/apache2/htdocs"
  SSLEngine on
  SSLCertificateFile "/path/to/cert.pem"
  SSLCertificateKeyFile "/path/to/privkey.pem"
  SSLCertificateChainFile "/path/to/fullchain.pem"
    • [...] </VirtualHost>

     

  • In the next step save and restart your hosting services: 
    sudo /opt/bitnami/ctlscript.sh start

    There should be no error or warning displayed on the console.

  • Edit your wp-config.php  and change your default host to https:// 
    //define('WP_SITEURL', 'http://seiler.it');
//define('WP_HOME', 'http://seiler.it');

define('WP_SITEURL', 'https://seiler.it');
define('WP_HOME', 'https://seiler.it');
  • Now you should check your domain, if it is working with https://
  • You might see some (or a lot, when unlucky) of mixed content warnings in the developer console of your browser, and your server might not load all images / other content. These are caused by references to „unsecure“ destinations where your images or other content like CSS and JavaScript files are loaded from. For instance, in you WordPress theme you might have set up a referenes to a logo or for other images / content, that are utilizing complete URLs, starting with http:// and not just relative paths. As this „problem“ can get quite complex I am linking here some pages that deal with the mixed content warning that might help you with a solution:
    1. https://css-tricks.com/moving-to-https-on-wordpress/
    2. http://www.smartinternetlifestyle.com/how-to-redirect-http-to-https-on-wordpress/
    3. http://www.redirect301.de/weiterleitung-http-nach-https.html
    4. http://designmodo.com/wordpress-https/
    5. https://www.webongo.de/wordpress-https-umstellen/ (German language)
  • If everything is fine, we are going finally to update your .htaccess file. Just add the following to the very beginning of the file: 
    RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

    • About certificate renewals and life times

    Taken from the Email about the beta phase of Let’s encrypt, here are information about the current life time of certificates and how to deal with this short life time:

    Certificates from Let’s Encrypt are valid for 90 days. We recommend renewing them every 60 days to provide a nice margin of error. As a beta participant, you should be prepared to manually renew your certificates at that time. As we get closer to General Availability, we hope to have automatic renewal tested and working on more platforms, but for now, please play it safe and keep track.

    2019-01-03T16:46:58+00:00Tags: , , , , , , |

    Related Posts

    • Let’s Encrypt is Trusted
    • Die ARD und ZDF – Onlinestudie 2015 und die digitale Kluft
    • Updating Amazon AWS Security Group via CLI
    • Chocolatey
    • Holistic blended framework for Research and Education in Mechatronics and Computer Science

    4 Comments

    1. Heinz 19. November 2015 at 21:27 - Reply

      Danke für den Beitrag! Ich habe lange herum probiert bis ich hier auf die Lösung gestoßen bin.

    2. Geoffrey 22. Dezember 2015 at 22:22 - Reply

      I ran the process, and got the output successfully:

      – Congratulations! Your certificate and chain have been saved at
      /etc/letsencrypt/live/www.(DOMAIN).com/fullchain.pem. Your cert
      will expire on 2016-03-21. To obtain a new version of the
      certificate in the future, simply run Let’s Encrypt again.

      However, after editing my httpd-vhosts.conf file, I am still not getting SSL on my site. httpd-vhosts.conf is as follows:

      ServerName (DOMAIN).com
      ServerAlias www.(DOMAIN).com
      DocumentRoot „/opt/bitnami/apps/joomla/htdocs“
      Include „/opt/bitnami/apps/joomla/conf/httpd-app.conf“

      ServerName (DOMAIN).com
      ServerAlias www.(DOMAIN).com
      DocumentRoot „/opt/bitnami/apps/joomla/htdocs“
      SSLEngine on
      SSLCertificateFile „/etc/letsencrypt/live/www.(DOMAIN).com/cert.pem“
      SSLCertificateKeyFile „/etc/letsencrypt/live/www.(DOMAIN).com/privkey.pem“
      SSLCertificateChainFile „/etc/letsencrypt/live/www.(DOMAIN).com/fullchain.pem“
      Include „/opt/bitnami/apps/joomla/conf/httpd-app.conf“

      Any idea what I am doing wrong?

      • Sven Seiler 23. Dezember 2015 at 16:37 - Reply

        From that point it looks the right way. Just to be sure:
        1.) Have you checked, that you haven´t any other certificate (sgvps.net) from AlphaSSL that is used for your side?
        2.) Did you restarted the services?
        3.) Is anything configured the right way in your httpd-app.conf?

    3. Guille 24. Januar 2016 at 16:30 - Reply

      Hello and thank´s

      I follow all steps and all is ok but when i put this line:

      sudo ./letsencrypt-auto –agree-dev-preview –server https://acme-v01.api.letsencrypt.org/directory auth

      don´t continue and put me this:

      Updating letsencrypt and virtual environment dependencies..../letsencrypt-auto: 186: ./letsencrypt-auto: /home/bitnami/.local/share/letsencrypt/bin/pip: not found

      help me please!

    Leave A Comment

    Copyright since 1995 by Dr. Sven Seiler