Securing Ghost with SSL and Amazon Lightsail Bitnami Apps
The advent of Amazon Lightsail makes it even easier to spin up low cost EC2 instances, these can be pre-configured with a range of images such as NodeJS. CodeAgainTomorrow provides a tutorial to get setup with Ghost, ideal for a blog. Securing your instance with SSL is essential for a number of security and SEO reasons, configuring SSL can be hard, but it doesn't have to be.
Prerequisites
The following assumptions will be made:
- You have acquired an SSL certificate from a vendor
- You selected the Bitnami NodeJS image for your Lightsail instance
- You own a domain name and you have setup DNS to point to your instance
- You have setup your ghost blog
Generating a CSR
Bitnami's Apache2 configuration comes with a self signed certificate pre-installed, which means the bitnami.conf
only requires light modification. In order to swap the self signed cert for a trusted one, first you will need to generate a Certificate Signing Request (CSR)
1. Navigate to the apache2 configuration
SSH into your Lightsail instance and navigate to the conf directory:
cd /opt/bitnami/apache2/conf
This directory will already be populated with the self signed server.key
, sever.crt
.
2. Create request
Next a CSR and key must be generated. To avoid confusion it's recommended to use the domain name for csr/key. Modify and run the following command:
openssl req -new -newkey rsa:2048 -nodes -keyout domain-name.key -out domain-name.csr
When prompted enter information about the company and domain. Please note: United Kingdom region must use the 'GB' country code.
3. Copy the CSR
A new CSR and key will be generated, open the CSR and copy the entire contents:
cat domain-name.csr
Verification
Paste the CSR into the SSL vendors control panel. The certificate issuer will need to verify the owner of the domain, there are generally 3 ways to do this:
- Provide an accessible domain email address.
- Create a unique DNS CNAME.
- Upload a unique public facing asset to the server.
Choose the appropriate method and follow the vendors instructions, it can take up to one hour to be verified.
Upload signing materials
Once the SSL vendor has verified that you own the domain a set of signing materials will be available to download. Depending on the vendor the format can vary:
domain.crt
domain.ca-bundle
(dependent on vendor)
Either SCP these files into /opt/bitnami/apache2/conf or touch the files and copy paste the contents of the signing materials, for consistency it's recommended to use the domain when naming these files.
cd /opt/bitnami/apache2/conf
touch domain.crt
vim domain.crt
Make certs available
To start using the new signing materials the bitnami.conf
needs updating, open the configuration for editing:
vim /opt/bitnami/apache2/conf/bitnami/bitnami.conf
Search for the following lines:
<VirtualHost _default_:443>
DocumentRoot "/opt/bitnami/apache2/htdocs"
SSLEngine on
SSLCertificateFile "/opt/bitnami/apache2/conf/domain.crt"
SSLCertificateKeyFile "/opt/bitnami/apache2/conf/domain.key"
- SSLCertificateFile: replace with the newly added
domain.crt
- SSLCertificateKeyFile: replace with the
domain.key
that you generated in the initial CSR request
Additionally if a domain.ca-bundle
was provided in the signing materials include this line for Apache2:
SSLCertificateChainFile "/opt/bitnami/apache2/conf/domain.ca-bundle"
Exclusive use of https
In order to make exclusive use of https:// on all incoming requests, include the RequestHeader directive into the above block:
RequestHeader set X-Forwarded-Proto "https"
Restart Apache
For the changes to take effect, Apache must be restarted:
sudo /opt/bitnami/ctlscript.sh restart apache
The CLI will notify you if there were any issues restarting Apache2, assuming everything is successful, test out the domain name on https:// and you should get the padlock confirming you are now serving your ghost blog over SSL.