Jacky's Treasure Box: [Apache] Updating http server to https

Background

No one will delay the importance of https, to secure the data transaction between client and server, however in the past when https is not very common in Internet, we developers suffer from registration cost of a certificate and complicated setup of Apache server. One of our client although not specifically request, needs https at all time of their official web site.

Solutions

Steps are not difficult nowadays to complete the https setup, here is my system setup.

- A LAMP docker image (mattrayner/lamp:latest-1804) https://hub.docker.com/r/mattrayner/lamp which has already setup and work in production.

- Amazon lightsail service for hosting

- A valid hostname registered in hosting speed with full control of the domain name through the domain name panel

Steps

1. Register the SSL certificate (FREE) in letsencrypt (https://letsencrypt.org/) through lightsail web terminal or any ways you can think of accessing the virtual server. Install software-properties-common and certbot accordingly (Details refer to https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-using-lets-encrypt-certificates-with-wordpress)

2. Specify the domain name and the wildcard in the environment variable, use certbot to request Let's Encrypt for the new certificate.

3. Use the following command to start certbot in interactive mode, follow the instruction to complete the registration.

sudo certbot -d $DOMAIN -d $WILDCARD --manual --preferred-challenges dns certonly

Note: There is a process where Let's Encrypt verifies the ownership of the domain, and you as the domain owner needs to add a TXT DNS record to complete the challenge. I am stucked at this as I wrongly follow the unclear instructions of Let's Encrypt's instruction. The TXT record required to fill in your DNS panel is _acme-challenge.example.com with a series of long string, but I wrongly put the whole address in the below table which caused failure of the challenges. It indeed needs only the first part "_acme-challenge" since the .goldenthumb.com.hk has already added for you during the DNS enquiry, so NO NEED to put the whole address to the name field of the DNS record panel.

4. Complete the challenges in the interactive shell and your certificate will be issued. Mark down the directory in which the certificates are stored

5. Update the docker-compose file volumes configuration so that volume is mapped to include the certificate files in the docker container, they will be used as https's certificate afterwards, at the same time, add 443:443 port mapping in ports configuration to allow correct functions of https

6. You can also map the path /etc/apache2/sites-available to local for easy access and configure the apache web server settings

7. Update the 000-default.conf to read the certificate files in step 5, the file sample is as follows

https://drive.google.com/file/d/1usQ9kHb38SyCxW8oqYT1fMAja1_Xj54S/view

The sample configuration includes pointing the certificate files, setting up 443 port based virtual server, redirecting all non https request permenantly to the https URL

8. Update the docker-compose file again, add build configuration and remove image configuration, because we are adding custom commands / scripts to the new yml file

9. Create a new dockerFile with source using the LAMP container (mattrayner/lamp:latest-1804), add the following custom commands in the dockerFile yml

- a2enmod ssl

- service apache2 restart

10. Navigate to lightsail management panel, open the port inbound for port 443 used in https

11. Stop the running containers, rebuild and make the containers up again, your server is now https protected

Certificate Renewal

1. Run "/usr/bin/certbot renew >> /var/log/certbot"

2. Reply the interactive terminal, provide emails, agree terms etc.

3. Add DNS record (TXT) for the challenges