Setting up Let’s Encrypt with a Bitnami Ghost image
Generally: if you’re entering details, you should encrypt the data.
Since Let’s Encrypt was launched in 2016, adding an SSL certificate and maintaining it has been so simple that it’s really a must. Using the EFF’s certbot makes this super easy and there are only a few issues that arise when using a Bitnami image for your Ghost blog that are easily ironed-out.
Where this guide should work
I’ve based this guide off of my experience setting up SSL for this blog from a Bitnami Ghost image on an AWS EC2 (free-tier) Ubuntu 14.04 server.
I imagine that this will work for any other version of Ubuntu; more important is that you’re using the Bitnami image (since this is what makes using Let’s Encrypt slightly more tricky).
Installing certbot
certbot is the tool that makes setting up and renewing a certificate so much easier. Ubuntu likely comes with copy of certbot, but since it’s still a new tool and is being actively developed, you may as well grab the latest version from the specific repository:
$ sudo add-apt-repository ppa:certbot/certbotYou’ll be asked whether you accept a few things (which you have to to use the package repository), so press ENTER a few times when necessary.
Now we’ll want to update the package list, so run:
$ sudo apt-get updateNow we can install certbot using:
$ sudo apt-get install python-certbot-apacheGenerating an SSL certificate
This is where the Bitnami image makes things a bit more complicated. It doesn’t use the apache2 that comes with Ubuntu, but uses its own server root in /opt/bitnami/apache2.
First of all we’ll want to stop our services so that we don’t mess anything up by changing files on a live service.
$ sudo /opt/bitnami/ctlscript.sh stopWe can either change our Virtual Hosts configuration automatically by specifying more parameters for certbot; but since this could be temperamental we can also do this manually (and ignore what certbot does by default).
So we’re generating a certificate for both the base domain and www.<BASE_DOMAIN>, since visitors are likely to use both.
Option 1: Changing Virtual Host configuration automatically
Remember to replace vegetables.wtf with your own domain name.
$ certbot --apache --apache-server-root '/opt/bitnami/apache2' --apache-vhost-root '/opt/bitnami/apps/ghost/conf' --apache-le-vhost-ext '-vhosts.conf' -d vegetables.wtf -d www.vegetables.wtfYou’ll be asked to fill in an emergency contact email and choose whether you want to force SSL.
Now check your virtual host configuration is correct.
$ less /opt/bitnami/apps/ghost/conf/httpd-vhosts.confThis should show your virtual hosts configuration with your Let’s Encrypt keys referenced something like this:
...<VirtualHost *:443>
...
SSLCertificateFile "/etc/letsencrypt/live/vegetables.wtf/cert.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/vegetables.wtf/privkey.pem"
SSLCertificateChainFile "/etc/letsencrypt/live/vegetables.wtf/fullchain.pem"
...
</VirtualHost>
If it does, then you’re done configuring this file (but there’s still a little bit left).
Option 2: Configuring the Virtual Hosts manually
If the above didn’t work, and certbot couldn’t find your vhosts file or it wasn’t updated with your keys, then we can just change these values manually.
If certbot failed, just run:
$ certbot --apache -d vegetables.wtf -d www.vegetables.wtfThe locations of keys should be given out just before certbot quits. They should be at /etc/letsencrypt/live/vegetables.wtf/.
Now simply edit your vhosts file using a text editor like Nano or Vim:
$ nano /opt/bitnami/apps/ghost/conf/httpd-vhosts.confAdd in the lines pointing to your certificates, the same as certbot would’ve. Obviously replace with your own domain path again.
...<VirtualHost *:443>
...
SSLCertificateFile "/etc/letsencrypt/live/vegetables.wtf/cert.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/vegetables.wtf/privkey.pem"
SSLCertificateChainFile "/etc/letsencrypt/live/vegetables.wtf/fullchain.pem"
...
</VirtualHost>
That should be done! Now all that’s left is getting Bitnami to recognise the certificates too.
Get Bitnami’s Apache to register the certificates
We’re going to be editing /opt/bitnami/apache2/conf/bitnami/bitnami.conf, so open up your editor again to do this.
$ nano /opt/bitnami/apache2/conf/bitnami/bitnami.confWe’re going to be adding the same lines in again, so your configuration file should look something like this:
...<VirtualHost _default_:443>
...
SSLCertificateFile "/etc/letsencrypt/live/vegetables.wtf/cert.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/vegetables.wtf/privkey.pem"
SSLCertificateChainFile "/etc/letsencrypt/live/vegetables.wtf/fullchain.pem"
...
</VirtualHost>
Save and quit, and you’ve now got a valid SSL certificate for your site for the next 3 months.
Time to start your services again, so run:
$ sudo /opt/bitnami/ctlscript.sh restartIf everything looks like it’s up and running try it out by going to https://yoursite.com.
Set up auto-renewal
Since the certificate expires after 3 months, and we’re all lazy/ efficient, you’ll almost definitely want to set up auto-renewal.
We’ll use crontab to run a renewal process everyday at 3:15 am.
$ sudo crontab -eChoose an editor and it will open up the editor. Paste this at the end of the file:
...15 3 * * * /usr/bin/certbot renew --quiet
This means that certbot will run the renew command at 3 15 everyday in quiet mode, so that there’s no output.
Save and quit, and now you’ll hopefully never have to manage your SSL certificates for this site again.
Redirecting users to HTTPS from HTTP
This is super simple, and worth it since otherwise users will be using the standard http connection when they type in your domain to their browsers.
It is a redirect, so obviously it will have to be slightly slower but it’s not noticeable so don’t worry too much.
Open up /opt/bitnami/apps/ghost/conf/httpd-prefix.conf, and, at the top, paste:
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]You might want to reboot your Apache server again.
$ sudo /opt/bitnami/ctlscript.sh restartThat’s it! Now try going to http://yoursite.com and hopefully you’ll be redirected to a secure connection.
If you’re troubleshooting, try:
- https://seiler.it/lets-encrypt-your-server/
- https://www.digitalocean.com/community/tutorials/how-to-set-up-let-s-encrypt-certificates-for-multiple-apache-virtual-hosts-on-ubuntu-14-04
Also thanks to Erika Heidi and Sven Seiler for those guides, since they helped me set up my server and write this guide!
This post was originally posted on my blog on August 20th, 2017.
