Let’s Encrypt for EC2 Apache Server

HTTPS – it has been around for a while now and yet very few websites use it. To make web more secure, in a cost-effective manner for domain owners, Let’s Encrypt was established. It is a free, automated, and open certificate authority (CA) by a non-profit group. You can learn a lot more about them on their website; however, it is kind of hard to use their services if you are using a non-supported OS (in my case AMI Linux provided by AWS).

But with a little bit of trial and error, reading on the net, and time investment – I got it to work. Just putting the steps up here so that anyone can follow it quickly and easily.

 

Prerequisite

 

Getting the Cert

1. SSH to your instance and run the following commands

$ sudo yum update -y
sudo yum install -y mod24_ssl
sudo service httpd restart
sudo yum install git

2. With that done, let’s get the latest repo of letsencrypt

git clone https://github.com/letsencrypt/letsencrypt.git

This should create a folder ~/letsencrypt for you.

3. Run the following command replacing following parameters

  • YOUR_DOMAIN – this is your domain name (example.com)
  • /VAR/WWW/HTML – Apache webroot path
  • YOUR_EMAIL – you will get renewal reminders on this email so make sure this is a valid one

~/letsencrypt/letsencrypt-auto certonly --renew-by-default -d YOUR_DOMAIN --authenticator webroot --webroot-path /VAR/WWW/HTML --email YOUR_EMAIL --agree-tos --debug

4. When you get the success message, look through the first bullet point of IMPORTANT NOTES. Copy the location of certificate file (looks something like – /etc/letsencrypt/live/YOUR_DOMAIN)

5. Edit the Apache SSL file (/etc/httpd/conf.d/ssl.conf) by updating following entries –

  • SSLProtocol all -SSLv2 -SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2
  • SSLProxyProtocol all -SSLv3
  • SSLHonorCipherOrder on
  • SSLCertificateFile /etc/letsencrypt/live/YOUR_DOMAIN/cert.pem
  • SSLCertificateKeyFile /etc/letsencrypt/live/YOUR_DOMAIN/privkey.pem
  • SSLCertificateChainFile /etc/letsencrypt/live/YOUR_DOMAIN/chain.pem

6. Change the Apache config to redirect all HTTP port request to HTTPS port. Add following code to httpd.conf file.

<VirtualHost *:443>
ServerAdmin YOUR_EMAIL
ServerName YOUR_DOMAIN
DocumentRoot "/VAR/WWW/HTML"
ErrorLog "logs/YOUR_DOMAIN-error_log"
CustomLog "logs/YOUR_DOMAIN-access_log" common
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/YOUR_DOMAIN/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/YOUR_DOMAIN/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/YOUR_DOMAIN/chain.pem
</VirtualHost>

Change port 80 code to following
<VirtualHost *:80>
ServerAdmin YOUR_EMAIL
ServerName YOUR_DOMAIN
DocumentRoot /VAR/WWW/HTML
ErrorLog "logs/YOUR_DOMAIN-error_log"
CustomLog "logs/YOUR_DOMAIN-access_log" common
RewriteEngine On
RewriteCond %{HTTPS} != on
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]
</VirtualHost>

7. And restart the Apache one more time.
$ sudo service httpd restart

And you are done! If you followed all the seven steps to the letter, you should have a working SSL certificate from Let’s Encrypt for free. Of course, it costs a ton of money to issue and maintain these certificates – so please donate to them if possible.

Pro tip: Let’s Encrypt certificates expire in 90 days. And for good reason. But it can get cumbersome to update and renew the cert. So make following entry to your crontab to automate the re-certification process.
1 21 * * 6 /home/ec2-user/letsencrypt/letsencrypt-auto renew

Free the DC Universe

Just finished watching Batman vs Superman. The movie, which is supposed to keep one on the edge of the seat, made me fall asleep in between. Twice! The movie about an epic battle between two epic super heroes, about setting up a foundation for Justice League, about introduction of Lex Luthor – is a snooze fest! (That’s two exclamation marks in 3 sentences, imagine my anger.)

The plot holes are unsurmountable – greatest detective of all time spends two years trying to uncover every soft spot in his enemy but doesn’t find out that his nemesis’ mother has the same name as his mother? And this fact somehow converts Superman, threat to humanity in the eyes of Batman, into BFF? How did Alfred know that he needs to track the Russian assassin? And all those plot holes are in 3 minutes of a 3 hour long movie.

Zack Snyder has done a really bad job of trying to move the plot along – mostly through dream sequences that make no sense. Critical information is not conveyed because everyone watching the movie is supposed to be familiar with comics. It even goes on to destroy the Batman legacy that Nolan painstakingly created (this Batman has no morals about use of guns or branding).

And after all this shit, who is allowing Zack to write Wonder Woman and direct Justice League after Rise of Empire, Man of Steel, and this movie? Fans are crying bloody murder and critics are panning the movies. Is Kevin Tsujihara getting paid for just showing up and napping in office or does he actually look at movies that Warner Bros is producing? I bet the first man you find on streets of LA can do a better job of running the studio at this point in time. (If you don’t believe me, may I remind you of the Hobbit series?)

Zack and Keivn please just retire and give DC universe a fighting chance.

Weeding the Old

When Apple first removed the CD slot, there was a huge hue and cry about it – “How are we going to load large amounts of data/video/game on our laptops?” people asked. This is not courage… this is stupidity, they said. Apple, of course, gave zero f***s about the noise and just kept moving along. Today, show me a laptop that comes with a CD rom.

Same shit is going on over headphone jacks today.

Until few years back, carrying a AUX cable was the norm. How else are you going to connect your phone to car, home surround sound system, and portable speakers! I don’t remember touching a an AUX cable in last 12 months. Music plays over bluetooth! It is literally that simple. The only time I have used headphone jack on phone is when I am on a flight and using noise-cancellation headphones.

Apple has always been the first to abandon a dying technology. Weeding out outdated tech helps keep product simple!

So keep your sanity and voice, stop screaming bloody murder, and go get a bluetooth headphone (just like I will). Because your beloved Macbook will be next to give up its headphone jack.

Hosting Multiple Domains/Subdomains on Single AWS EC2 Instance

Spent the last few days figuring out how to host multiple domains on single instance. Reading copious amount of AWS documentation, StackOverflow Q&A, and blogposts followed by lot of experimentation has resulted in me hosting two domain names with a subdomain on a single AWS EC2 instance. Sharing the steps involved so that it is easy for everyone else.

 

Prerequisite

 

Getting Hosted Zone Setup

1. Login to your AWS console and select Route 53 from the Services dropdown.

2. On the navigation panel, select Hosted zones.

3. Tap on the Create Hosted Zone. Enter the domain name. Select Public Hosted Zone in Type dropdown.
If you bought domain name from Route 53, then AWS will create a hosted zone for you. You can skip to step 6.

4. AWS will create 2 record sets – NS and SOA (DO NOT edit these).

5. Copy name server values from NS record and enter it against the domain name on the panel of your domain name registrar.

6. To create the main domain, click Create Record Set.

  • Leave the Name blank
  • Select A – IPv4 address in Type drop down
  • Enter Public IP address of your instance or load balancer in Value
  • Save Record Set.

7. To set subdomain, add another Record Set by tapping Create Record Set.

  • In the Name enter the subdomain
  • Select A – IPv4 address in Type drop down
  • Enter the IP address of your instance or load balancer in Value. Save Record Set

Repeat these steps for all the domains you want to host on the instance.

At this point your should have all your domain names and subdomains setup. While you wait for DNS across the world to update their records, setup the Apache server. …continue reading

Here we go again!

A couple of weeks ago I decided to revive this website. So installed WordPress, uploaded my old theme and … kaput! It rendered horribly; after all it was written more than 3 years ago. So, I took a quick detour to catch-up on WP codex. I was surprised (pleasantly) how much WP has improved – structure, standard, security, support – on all counts. Kudos to the WP team and community.

I threw out the old theme and wrote one from scratch. It is still work in progress, as most thing always are, but it is in good enough shape to be used for the blog. Updates to theme – with aim to keep it light, clean, and responsive – and new blogposts – with aim to entertain, share, and discuss – will happen. Hopefully more frequently than every 3 years. *fingers crossed*

Here is to new beginnings.