LetsEncrypt – Live Learning Notes

Hiya! In continuation to my last post of NginX + uWSGI today is the time to take my test project from http to https . The tools that I am going to use is obviously Let’s Encrypt. So, let’s get started.

So far I know that we can use let’s encrypt to provide SSL encryption on our standard http connection. And I know that we can combine this to NginX configs so that all the https traffic would go on the right target. But I don’t know how to do that. Let’s just read something introductory first.

I am reading through their official docs: #1 https://letsencrypt.org/getting-started/

Alright, so let’s encrypt is not a tool but Certificate Authority (CA) instead. Interesting! I have the shell access to my EC2, so they recommend using Certbot as an Automated Certificate Management Environment (ACME). Let’s read a bit about Certbot then. #2 https://certbot.eff.org/lets-encrypt/ubuntufocal-nginx

Oh man! That was too fast, I didn’t follow the tutorial to setup certbot now, as I want to first read more of it. #3 https://certbot.eff.org/docs/install.html

What I did, is as follows. After SSH to my EC2 that is Ubuntu20.04 (this might be the hard way -_- but still)

sudo apt update
sudo apt upgrade
sudo apt install certbot
sudo apt install python3-certbot-nginx
sudo su
certbot --nginx 

It asked for an email, and policy confirmation. And finally it asked for the domain, I entered the public DNS provided by EC2 by default. And that domain got rejected by certbot stating that ACME refuses this domain as it is forbidden in their policy. :shrug:

Gotcha! And yes, I think now it is understandable why certbot refuses the domain: #4 https://community.letsencrypt.org/t/policy-forbids-issuing-for-name-on-amazon-ec2-domain/12692

Now, what should I do? Get a free domain and try again, or drop the idea of SSL, or anything else? :me_thinking:

I decided, to go for a free domain then go ahead with making it into https I have created some DNS changes so it will take around 15 mins to take effect. And I am writing here meanwhile XD

I simply created a .tk domain “FREE of cost” from freedom.com and created just an “A” entry to my EC2 public IP (just for testing/learning purpose, otherwise this is not recommended for professional use at all, as every time you reboot your EC2, that public IP changes) For professional scenarios use a dedicated elastic IP from EC2 instead.

20 mins later

The domain is not active so far 😦 And see #5 https://my.freenom.com/knowledgebase.php?action=displayarticle&id=15 it says 72 HOURS :0. I certainly can’t wait that long. Because there is a possibility that I have tweaked something wrong while adding DNS entries. I am removing all DNS records, and creating a simple URL forward to my EC2 public domain.

40 mins later

No luck. I don’t know why this free domain isn’t responding in any way. Have changed more settings and it would again take some time. I am going to learn “Ansible” in the mean time. You can follow that on the next post. And once this free domain starts working, I’ll jump back here. But what I understood is that once you have a legit domain name for you, then after running the command certbot --nginx it will take care of your NginX configurations such that all http traffic would be forwarded to https by default. So nothing to do much after that. I am leaving the post here 🙂

4 days later

Just a wow! The free domain is working now. I think it really took those 72hrs. Anyway, now the domain is up, so I am also up to setup the https, I ran:

certbot --nginx --domain <your-domain-not-mine>

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for <your-domain-not-mine>
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/default

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/default

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://<your-domain-not-mine>

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=<your-domain-not-mine>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/<your-domain-not-mine>/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/<your-domain-not-mine>/privkey.pem
   Your cert will expire on <a-date>. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

and that it, as expected it took care of my nginx configs. All the traffic even of http is now getting diverged on https 🙂

Now I just need to change more configurations of Nginx so that this https redirects to my uWSGI of DRF project. So far, the previous configs of my custom site /etc/nginx/site-available/test-project is listening at port 80. Following are the changes I did as well to /etc/nginx/site-available/test-project:

Changed port to 443
Changed server_name to <domain-name>
Put ssl on directive
Also added directives like ssl_certificate, ssl_certificate_key, and ssl_dhparam whose values are easily available from /etc/nginx/site-enable/default (only if you chose “certbot” to change your nginx default configs)

Done! Thank you!

More Useful Resources:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s