I have a Django application setup CI/CD via Bitbucket on AWS EC2 via AWS CodeDeploy.
In the AWS CodeDeploy hooks under AfterInstall
hooks:
AfterInstall:
- location: scripts/ngnix.sh
timeout: 6000
runas: ubuntu
and the nginx.sh script is
#!/usr/bin/env bash
mkdir -p /etc/nginx/sites-enabled
mkdir -p /etc/nginx/sites-available
sudo mkdir -p /etc/nginx/log/
sudo unlink /etc/nginx/sites-enabled/*
sudo cp /path_to_app/configs/nginx.conf /etc/nginx/sites-available/app-host.conf
sudo ln -s /etc/nginx/sites-available/app-host.conf /etc/nginx/sites-enabled/app-host.conf
sudo /etc/init.d/nginx stop
sudo /etc/init.d/nginx start
sudo /etc/init.d/nginx status
But every time this script is run via CI/CD pipeline, SSL stops working and the website is not accessible using https.
To re-enable SSL, I have to manually run
sudo certbot --nginx
And re-configure SSL certificate.
What could be the issue for not working of the SSL and how to automate this?
The certbot procures the ssl certificates from Lets Encrypt and keeps those certificates on your machine. You can run the command sudo certbot certificates to see the certificates path.
Found the following certs:
Certificate Name: example.com
Domains: example.com, www.example.com
Expiry Date: 2017-02-19 19:53:00+00:00 (VALID: 30 days)
Certificate Path: /etc/letsencrypt/live/example.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/example.com/privkey.pem
You need to store the the files located at Certificate Path & Private Key Path in a persisted volume so they don't get wiped out everytime you deploy your app. In your case I think these certificate files are getting wiped out and that is the reason you have to run the command sudo certbot --nginx to procure new cerificate.
Related
Install certbot/letsencrypt on Amazon Linux 2 and enable HTTPS on nginx (similar process available for apache)
Install certbot
sudo yum update
sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
sudo yum-config-manager --enable epel
sudo yum install certbot python3-certbot-nginx
certbot --version
Generate certification
Use the following command to generate the certification and automatic let the certbot to modify the nginx configuration to enable https:
sudo certbot --nginx
or if you need only the certification, use the following command:
sudo certbot certonly --nginx
The certification will be created on the folder
/etc/letsencrypt/live/YOUR_SITE_NAME/
for example:
Certification
/etc/letsencrypt/live/www.my-site.com/cert.pem
Private key
/etc/letsencrypt/live/www.my-site.com/privkey.pem
Enable automatic renewal
Use the following command to enable automatic renewal of the certification:
sudo certbot renew --dry-run
Errors i have encourred
If during certification creation an error like the following appears:
"Could not choose appropriate plugin: The requested nginx plugin does
not appear to be installed"
then run the command
sudo yum install certbot python-certbot-nginx
and retry to create the certification.
Notes
For apache, you can use python2-certbot-apache instad of python2-certbot-nginx,
make sure your using the option --apache instead of --nginx during the creation of the certification.
DNS must be configured to point to your macchine, othrewise the check of the certbot will fails.
I am following a mini-tutorial to install letsencrypt certificates. OS is ubuntu 22.04.
I had already installed nginx, and my own example.com config file to /etc/nginx/sites-available
/etc/nginx/sites-available/example.com
I left the /etc/nginx/sites-available/default unchanged.
I removed the pre-installed certbot
sudo apt remove certbot
Then I installed snap and classic certbot:
sudo apt install snapd
sudo snap install core; sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
Then I ran
sudo nginx -t
sudo systemctl reload nginx
Then I did
sudo certbot --nginx -d example.com
I accept the agreement, entered my email, and hit return.
Instead of modifying /etc/nginx/sites-available/example.com, /etc/nginx/sites-available/default was modified.
What am I doing wrong?
I am following this guide to install certbot and create ssl cert.
But when I run wget https://dl.eff.org/certbot-auto, error shows:
--2021-07-09 02:16:27-- https://dl.eff.org/certbot-auto
Resolving dl.eff.org (dl.eff.org)... xxx.xxx.xx.xxx, xxxx:xxxx:xx::xxx
Connecting to dl.eff.org (dl.eff.org)|xxx.xxx.xx.xxx|:443... connected.
HTTP request sent, awaiting response... 404 Not Found
2021-07-09 02:16:27 ERROR 404: Not Found.
How to solve it?
I just came across this page:
https://certbot.eff.org/docs/install.html#certbot-auto
We used to have a shell script named certbot-auto to help people install Certbot on UNIX operating systems, however, this script is no longer supported. If you want to uninstall certbot-auto, you can follow our instructions here.
From https://certbot.eff.org/docs/install.html#certbot-auto
certbot-auto script " is no longer supported. "
SOLUTION :
Follow instructions here :
https://certbot.eff.org/
Example of SOLUTION on Ubuntu :
Cerbot + Nginx :
**install snapd**
sudo apt update
sudo apt install snapd
Execute the following instructions on the command line on the machine to ensure that you have the latest version of snapd.
sudo snap install core; sudo snap refresh core
Remove certbot-auto and any Certbot OS packages
If you have any Certbot packages installed using an OS package manager like apt, dnf, or yum, you should remove them before installing the Certbot snap to ensure that when you run the command certbot the snap is used rather than the installation from your OS package manager. The exact command to do this depends on your OS, but common examples are sudo apt-get remove certbot, sudo dnf remove certbot, or sudo yum remove certbot.
If you previously used Certbot through the certbot-auto script, you should also remove its installation by following the instructions here.
Install Certbot
Run this command on the command line on the machine to install Certbot.
sudo snap install --classic certbot
Prepare the Certbot command
Execute the following instruction on the command line on the machine to ensure that the certbot command can be run.
sudo ln -s /snap/bin/certbot /usr/bin/certbot
Choose how you'd like to run Certbot
Either get and install your certificates...
Run this command to get a certificate and have Certbot edit your Nginx configuration automatically to serve it, turning on HTTPS access in a single step.
sudo certbot --nginx
Or, just get a certificate
If you're feeling more conservative and would like to make the changes to your Nginx configuration by hand, run this command.
sudo certbot certonly --nginx
Test automatic renewal
The Certbot packages on your system come with a cron job or systemd timer that will renew your certificates automatically before they expire. You will not need to run Certbot again, unless you change your configuration.
You can test automatic renewal for your certificates by running this command:
sudo certbot renew --dry-run
If that command completes without errors, your certificates will renew automatically in the background.
Confirm that Certbot worked
To confirm that your site is set up properly, visit https://yourwebsite.com/ in your browser and look for the lock icon in the URL bar.
It works ! enjoy and donate to Certbot and EFF
I have installed latest version of nginx.It is is installed succefully.
But getting error while typing the below command.
sudo ufw allow 'Nginx Full'
Error:ERROR: Could not find a profile matching 'Nginx Full'
sudo ufw app list
showing only
Available applications:
OpenSSH
How to add the application.
Nginx Full
Nginx HTTP
Nginx HTTPS
OpenSSH
I have installed two times nginx server
Error:ERROR: Could not find a profile matching 'Nginx Full'
Ubuntu (18.04)
You can see which apps are available by running this command:
ufw app list
Ports:
HTTP - 80
HTTPS - 443
Simple way to add them to UFW:
ufw allow 80,443/tcp
If you are wanting to accomplish this via application you will need to create the application ini file within /etc/ufw/applications.d
Example:
vi /etc/ufw/applications.d/nginx.ini
Place this inside file
[Nginx HTTP]
title=Web Server
description=Enable NGINX HTTP traffic
ports=80/tcp
[Nginx HTTPS] \
title=Web Server (HTTPS) \
description=Enable NGINX HTTPS traffic
ports=443/tcp
[Nginx Full]
title=Web Server (HTTP,HTTPS)
description=Enable NGINX HTTP and HTTPS traffic
ports=80,443/tcp
Then type this commands
ufw app update nginx
ufw app info 'Nginx HTTP'
ufw allow 'Nginx HTTP'
I had the same problem.. turned out Nginx was not installed due to some reason.
So it showed only OpenSSH by doing
sudo ufw app list
I got to this when I tried to uninstall Nginx using the command
sudo apt-get remove nginx
The output showed something like this:
Package 'nginx' is not installed, so not removed
Now you have to try installing Nginx again using commands
sudo apt update
sudo apt install nginx
sudo ufw app list
now the options will be available
// Check to see
Available applications:
Nginx Full
Nginx HTTP
Nginx HTTPS
OpenSSH
Now allow HTTP port using the command:
sudo ufw allow 'Nginx HTTP'
And finally run this command:
sudo ufw enable
Now hit the URL in browser it will show Nginx default page.
ERROR: Could not find a profile matching 'OpenSSH', Then install first ssh by given command
sudo apt-get install ssh
After installing package add the OpenSSH allow
sudo ufw allow OpenSSH
sudo ufw status
Tested
Happened to me after installing using the official site's instructions for Ubuntu
Simply install as this (after removing if already installed)
sudo apt-get remove nginx
sudo apt install nginx
I've created and launched my WordPress site on AWS using EC2. I followed this tutorial to create the site. Its currently mapped to a domain using Route 53. All development on the site is done online in my instance.
I would now like to install an SSL Certificate on my site. How would I do so?
If you created WordPress on AWS using "Bitnami",
you may ssh to your instance and run:
sudo /opt/bitnami/bncert-tool
See bitnami docs for details
If you're looking for easy and free solution, try https://letsencrypt.org/. They have a easy to follow doc for anyone.
TLDR; Head to https://certbot.eff.org/, choose your OS and server type and they will give you 4-5 line installation to install certificate automatically.
Before attempting, make sure your domain name is correctly pointed to your EC2 using Route53 or Elastic IP.
For example, here's all you need to run to automatically get and install SSL on a Ubuntu EC2 running nginx
$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-nginx
Best of luck!
This tutorial provides a simple 3 step guide to setting up your Wordpress on AWS using LetsEncrypt / Certbot:
https://blog.brainycheetah.com/index.php/2018/11/02/wordpress-switching-to-https-ssl-hosted-on-aws/
Step 1: Get SSl certificate
Step 2: Configure redirects
Step 3: Update firewall
At each stage replace 'example.com' with your own site address.
Install certbot:
$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-apache
Create certificates:
$ sudo certbot --apache -m admin#example.com -d example.com -d www.example.com
To configure redirects, first open the wp-config file:
$ sudo vim /var/www/html/example.com/wp-config.php
Insert the following above the "stop editing" comment line:
// HTTPS configuration
define('WP_HOME','https://example.com');
define('WP_SITEURL','https://example.com');
define('FORCE_SSL_ADMIN', true);
And finally, update firewall via the AWS console:
Login to your AWS control panel for your EC2 / Lightsail instance
Select the Networking tab Within the Firewall section, just below
the table
Select Add another
Custom and TCP should be pre-populated within the first two fields by default, leave these as they are
Within the Port range field enter 443 Select Save
Then just reload your apache config:
sudo service apache2 reload
And you should be good to go.
According to the Tutorial, since you have configured only an EC2 instance, direct approach is to purchase a SSL certificate and install it into apache server. For detailed steps follow the tutorial
HOW TO ADD SSL AND HTTPS IN WORDPRESS
How to Add SSL and HTTPS in WordPress.
If you plan to use AWS Certificate Manager issued free SSL certificates, then it requires either to configure a Elastic Load Balancer or the CDN CloudFront. This can get complicated if you are new to AWS. If you plan to give it a try with AWS Cloudfront, follow the steps in How To Use Your Own Secure Domain with CloudFront.
Using Cloudfront also provides a boost in performance since it caches your content and reduces the load from your EC2 instance. However one of the challenges you will face is to avoid mixcontent issues. There are WordPress plugins that are capable of resolving mixcontent issues, so do try them out.
This is how I enabled SSL on my WordPress website.
I have used the Lets Encyprpt X.509 Certificates. Lets Encrypt is a certificate authority that provides x.509 Certificates in an automated fashion for free. You can find more information about lets encrypt [here][2]
Steps to follow:
SSH into the instance and switch to root.
Download Certbot
wget https://dl.eff.org/certbot-auto
Chmod a+x certbot-auto
Run certbot to fetch the certificates
sudo ./certbot-auto --debug -v --server https://acme-v01.api.letsencrypt.org/directory certonly -d "your-domain-name"
A wizard would be launched asking you select options for Apache, WebRoot, and Standalone. Select the WebRoot option and continue.Note the directory of your domain
Usually /var/www/html will be your directory for your domain. After success you will have three certificates in the following paths
Certificate: /etc/letsencrypt/live/<<<"Domain-Name">>>/cert.pem
Full Chain: /etc/letsencrypt/live/<<<"Domain-Name">>>/fullchain.pem
Private Key: /etc/letsencrypt/live/<<<"Domain-Name">>>/privkey.pem
Copy the pem file paths to /etc/httpd/conf.d/ssl.conf. Then restart the apache
Service httpd restart
And Finally, I have enabled the Really Simple SSL Plugin in wordpress. Thats it!