Adding SSL security to the sub-domains on the AWS Bitnami server

As outlined in the previous articles, I now have WebAgent running with multiple sub-domains on the Bitnami AWS server. However, for security and privacy reasons, like most web-based applications, WebAgent should be using HTTPS (SSL/TLS).

Kudos to Bitnami and Let’s Encrypt for making this relatively easy to do.

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG). [read more]

The Bitnami HTTPS Configuration Tool is used to configure HTTPS certificates for the domains on the server. The tool is run from a terminal session/command line and can be found in the /opt/bitnami folder.

In my case, I have “aws.webagentnavigator.com” as the default server name and “demo.webagentnavigator.com” and “phone.webagentnavigator.com” as application domains. We can create certificates for all of these domain names and schedule automatic certificate renewal with the Bitnami tool.

Step 1 - Open a terminal session

Using the WebAgent_ssh.command script I created to open a terminal session, I “SSH” (Secure Shell) into the Bitnami server.

ssh -i ~/.ssh/keypair.pem bitnami@ec2-x-xxx-xx-xxx.compute-1.amazonaws.com
sudo /opt/bitnami/bncert-tool

You may see this when you run the tool. Go ahead and update the tool and run it again.

An updated version is available. Would you like to download it? You would need to run it manually later. [Y/n]: Y

The tool will exit now. To run the updated version run the following command: 

/opt/bitnami/bncert-tool 

When I run the tool, I enter the 3 domains that I need included in the certificate. Each domain name is entered as a fully qualified name separated by a space.

[aws.webagentnavigator.com demo.webagentnavigator.com phone.webagentnavigator.com]

bitnami@:~$ sudo /opt/bitnami/bncert-tool

An updated version is available. Would you like to download it? You would need to run it manually later. [Y/n]: Y
The tool will exit now. To run the updated version run the following command: 

/opt/bitnami/bncert-tool 

bitnami@:~$ sudo /opt/bitnami/bncert-tool
------------------------------------------------------------------
Welcome to the Bitnami HTTPS Configuration tool.
------------------------------------------------------------------
Domains

Please provide a valid space-separated list of domains for which you wish to configure your web server.

Domain list []: aws.webagentnavigator.com demo.webagentnavigator.com phone.webagentnavigator.com 

Because of the domain list I’m using (no “www” domains), I received the following message. If you’re using a top-level domain or a “www” domain, you will have the option of redirecting your domain (example.com) to the “www” domain (www.example.com).

Warning: No www domains (e.g. www.example.com) or non-www domains (e.g. 
www.example.com) have been provided, so the following redirections will be 
disabled: non-www to www, www to non-www.

Then we’re prompted for redirection of http requests. Redirection is when what the user types into the address bar gets redirected (http to https or example.com to www.example.com).

Enable/disable redirections

Please select the redirections you wish to enable or disable on your Bitnami 
installation.

Enable HTTP to HTTPS redirection [Y/n]: Y

I want only SSL/HTTPS access for my domains, so I choose the redirection.

Changes to perform

The following changes will be performed to your Bitnami installation:

1. Stop web server
2. Configure web server to use an existing Let's Encrypt certificate and renew: 
/opt/bitnami/letsencrypt/certificates/aws.webagentnavigator.com.crt
3. Configure a cron job to automatically renew the certificate each month
4. Configure web server name to: aws.webagentnavigator.com
5. Enable HTTP to HTTPS redirection (example: redirect 
http://aws.webagentnavigator.com to https://aws.webagentnavigator.com)
6. Start web server once all changes have been performed

Do you agree to these changes? [Y/n]: Y

Selecting “Y” here performs the changes as outlined. Note that the server will be configured with the default name being the first domain name given when the list of domains were entered above. This becomes the default server name (in my case aws.webagentnavigator.com) and the certificate file name.

Also note that this message may differ if you’ve never run the tool before or are running for a new domain list.

Create a free HTTPS certificate with Let's Encrypt

Please provide a valid e-mail address for which to associate your Let's Encrypt certificate.

Domain list: aws.webagentnavigator.com demo.webagentnavigator.com phone.webagentnavigator.com

Server name: aws.webagentnavigator.com

E-mail address []: kburkholder@earthasylum.com

The Let's Encrypt Subscriber Agreement can be found at:

https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf

Do you agree to the Let's Encrypt Subscriber Agreement? [Y/n]: Y

------------------------------------------------------------------
Performing changes to your installation

The Bitnami HTTPS Configuration Tool will perform any necessary actions to your Bitnami installation.
This may take some time, please be patient.

Once this is done, your default web address should be configured to use (and force) https. However, the other sub-domains are not. We need to change a configuration file for each sub-domain.

Step 3 - Edit the Apache configuration file

httpd-vhosts.conf defines the virtual host (demo.webagentnavigator.com). It was created for the default (http) protocol using port 80. [See this post].

For https, we need another virtual host entry using port 443. The configuration file for my “demo” domain is in the “/home/bitnami/apps/demo/conf” folder. I need to add this to it:

<VirtualHost *:443>
    ServerName demo.webagentnavigator.com
    ServerAdmin kburkholder@earthasylum.com
    DocumentRoot "/opt/bitnami/apps/demo/htdocs"
    SSLEngine on
    SSLCertificateFile "/opt/bitnami/apache2/conf/aws.webagentnavigator.com.crt"
    SSLCertificateKeyFile "/opt/bitnami/apache2/conf/aws.webagentnavigator.com.key"

    Include "/opt/bitnami/apps/demo/conf/httpd-app.conf"
</VirtualHost>

Note the “SSLCertificateFile“ and “SSLCertificateKeyFile“ path names. These certificate files are created by the Bitnami HTTPS tool in the “/opt/bitnami/apache2/conf” folder. The name is the first (or default) domain name entered when running the tool.

Now the complete httpd-vhosts.conf file looks like this:

<VirtualHost *:80>
    ServerName demo.webagentnavigator.com
    ServerAdmin kburkholder@earthasylum.com
    DocumentRoot "/opt/bitnami/apps/demo/htdocs"

    Include "/opt/bitnami/apps/demo/conf/httpd-app.conf"
</VirtualHost>

<VirtualHost *:443>
    ServerName demo.webagentnavigator.com
    ServerAdmin kburkholder@earthasylum.com
    DocumentRoot "/opt/bitnami/apps/demo/htdocs"
    SSLEngine on
    SSLCertificateFile "/opt/bitnami/apache2/conf/aws.webagentnavigator.com.crt"
    SSLCertificateKeyFile "/opt/bitnami/apache2/conf/aws.webagentnavigator.com.key"

    Include "/opt/bitnami/apps/demo/conf/httpd-app.conf"
</VirtualHost>

This makes the domain “demo.webagentnavigator.com” available with HTTP on port 80 and with HTTPS on port 443.

One last step…

Step 4 - Restart Apache

I opened a terminal session again with my WebAgent_ssh.command script and run:

sudo /opt/bitnami/ctlscript.sh restart

This restarts all of the Bitnami services, including Apache, and may take a minute or two.

And we’re done. I can now run WebAgent securely using “https://demo.webagentnavigator.com” and if I use http://demo.webagentnavigator.com it will automatically redirect to https://demo.webagentnavigator.com.

One caveat… WebAgent has a small customized “.htaccess” file. .htaccess is a directory-level Apache configuration file. I use it to set environment variables and conditional redirects. In order for the Let’s Encrypt renewal to work, I had to add a condition to the redirects…

RewriteCond % !^/\.well-known

This prevents a request for “/.well-known” from being redirected. The Let’s Encrypt renewal process attempts to access “/opt/bitnami/apps/letsencrypt/.well-known” and will fail if “/.well-known“ is redirected.