Securing Ghost with SSL and Amazon Lightsail Bitnami Apps

The advent of Amazon Lightsail makes it even easier to spin up low cost EC2 instances, these can be pre-configured with a range of images such as NodeJS. CodeAgainTomorrow provides a tutorial to get setup with Ghost, ideal for a blog. Securing your instance with SSL is essential for a number of security and SEO reasons, configuring SSL can be hard, but it doesn't have to be.

Prerequisites

The following assumptions will be made:

Generating a CSR

Bitnami's Apache2 configuration comes with a self signed certificate pre-installed, which means the bitnami.conf only requires light modification. In order to swap the self signed cert for a trusted one, first you will need to generate a Certificate Signing Request (CSR)

1. Navigate to the apache2 configuration

SSH into your Lightsail instance and navigate to the conf directory:

cd /opt/bitnami/apache2/conf  

This directory will already be populated with the self signed server.key, sever.crt.

2. Create request

Next a CSR and key must be generated. To avoid confusion it's recommended to use the domain name for csr/key. Modify and run the following command:

openssl req -new -newkey rsa:2048 -nodes -keyout domain-name.key -out domain-name.csr  

When prompted enter information about the company and domain. Please note: United Kingdom region must use the 'GB' country code.

3. Copy the CSR

A new CSR and key will be generated, open the CSR and copy the entire contents:

cat domain-name.csr  

Verification

Paste the CSR into the SSL vendors control panel. The certificate issuer will need to verify the owner of the domain, there are generally 3 ways to do this:

  • Provide an accessible domain email address.
  • Create a unique DNS CNAME.
  • Upload a unique public facing asset to the server.

Choose the appropriate method and follow the vendors instructions, it can take up to one hour to be verified.

Upload signing materials

Once the SSL vendor has verified that you own the domain a set of signing materials will be available to download. Depending on the vendor the format can vary:

  • domain.crt
  • domain.ca-bundle (dependent on vendor)

Either SCP these files into /opt/bitnami/apache2/conf or touch the files and copy paste the contents of the signing materials, for consistency it's recommended to use the domain when naming these files.

cd /opt/bitnami/apache2/conf  
touch domain.crt  
vim domain.crt  

Make certs available

To start using the new signing materials the bitnami.conf needs updating, open the configuration for editing:

vim /opt/bitnami/apache2/conf/bitnami/bitnami.conf  

Search for the following lines:

<VirtualHost _default_:443>
  DocumentRoot "/opt/bitnami/apache2/htdocs"
  SSLEngine on
  SSLCertificateFile "/opt/bitnami/apache2/conf/domain.crt"
  SSLCertificateKeyFile "/opt/bitnami/apache2/conf/domain.key"
  • SSLCertificateFile: replace with the newly added domain.crt
  • SSLCertificateKeyFile: replace with the domain.key that you generated in the initial CSR request

Additionally if a domain.ca-bundle was provided in the signing materials include this line for Apache2:

SSLCertificateChainFile "/opt/bitnami/apache2/conf/domain.ca-bundle"  

Exclusive use of https

In order to make exclusive use of https:// on all incoming requests, include the RequestHeader directive into the above block:

RequestHeader set X-Forwarded-Proto "https"  

Restart Apache

For the changes to take effect, Apache must be restarted:

sudo /opt/bitnami/ctlscript.sh restart apache  

The CLI will notify you if there were any issues restarting Apache2, assuming everything is successful, test out the domain name on https:// and you should get the padlock confirming you are now serving your ghost blog over SSL.