Enable SSL on a Bitnami AMI running on EC2

This July, google chrome will be marking websites loaded over http as 'not secure'. This blog was originally set up using the Bitnami Ghost AMI on an AWS EC2 instance, and this post details the steps required to encrypt traffic over ssl. The certificate authority I used was letsencrypt.org a free Certificate Authority for issuing ssl certificates.

Step 1:
In your EC2 dashboard, go to Security Groups (under Network & Security). Select the security group used for your Bitnami instance and select the 'Inbound' tab. Select the 'Edit' button and up open port 443 to all traffic.


Step 2:
SSH into your bitnami instance and install the certbot client

$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-apache 

Step 3:
If you're apache server is running, stop the server

$ sudo /opt/bitnami/ctlscript.sh stop apache

Step 4:
Request a new certificate for your domain, replacing DOMAIN with your actual domain name, and the APPNAME placeholder with the path to your application (in my case DOMAIN was 'www.excusethedisruption.com' and APPNAME was 'ghost').

$ sudo certbot certonly --webroot -w /opt/bitnami/apps/APPNAME/htdocs/ -d DOMAIN

You will be asked a few questions and to accept the terms. If successful, you'll see a message indicating where your certificates were placed. For me this was /etc/letsencrypt/live/DOMAIN directory.

Step 5:
Install the certificates. You should first backup the existing certificates.

$ sudo mv /opt/bitnami/apache2/conf/server.crt /opt/bitnami/apache2/conf/server.crt.backup

$ sudo mv /opt/bitnami/apache2/conf/server.key /opt/bitnami/apache2/conf/server.key.backup

Then link your new certificates.

$ sudo ln -s /etc/letsencrypt/live/DOMAIN/fullchain.pem /opt/bitnami/apache2/conf/server.crt

$ sudo ln -s /etc/letsencrypt/live/DOMAIN/privkey.pem /opt/bitnami/apache2/conf/server.key

Lastly, update the file permissions to make them readable by the root user only.

$ sudo chown root:root /opt/bitnami/apache2/conf/server*
$ sudo chmod 600 /opt/bitnami/apache2/conf/server*

Step 6:
Restart your server.

$ sudo /opt/bitnami/ctlscript.sh restart apache

For me this caused the error (98)Address already in use: AH00072 indicating apache wasn't shut down properly. If this happens, you can kill any processes using port 80 with sudo kill -9 $(sudo lsof -t -i:80). Then re-run the restart apache command above and you should be good to go.

At this point you should be able to load your website using https://

Step 7:
Force https redirection.
Open /opt/bitnami/apps/APPNAME/conf/httpd-prefix.conf in a text editor

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [L,NE,R=301]

While you're here, you can also write a rule to redirect to www. if you'd like

RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^ https://www.%{SERVER_NAME}%{REQUEST_URI} [L,NE,R=301]

Explaination of rewrite-flags

Then restart your server

$ sudo /opt/bitnami/ctlscript.sh restart apache

Step 8:
Enable auto-renewal. Run the following command to verify the renewal will succeed.

$ sudo certbot renew --apache --dry-run

Install a new crontab that runs every day at 1:15am to check for renewal.

$ sudo crontab -e
15 1 * * * sudo certbot renew --apache --pre-hook "sudo /opt/bitnami/ctlscript.sh stop apache" --post-hook "sudo kill -9 $(sudo lsof -t -i:80) && sudo /opt/bitnami/ctlscript.sh start apache" >> /var/log/letsencrypt/renew.log

Congrats! Your site is now enabled with HTTPS.

Show Comments