Enable lets encrypt on joomla hosted aws

Enable Let’s Encrypt SSL Certificate on Joomla website

In this post, we are going to explore on how to install Let’s Encrypt cer­tifi­cate on Joom­la web­site host­ed on Ama­zon Light­sail to secure your website.

In my pre­vi­ous blog post, I wrote about set­ting up Host joom­la on Ama­zon Light­sail Ama­zon offers an amaz­ing plat­form to host your web­site on a Vir­tu­al Pri­vate Serv­er (VPS) for a rea­son­able cost. I have been blog­ging since 2009 and I remem­ber the cost of VPS would start at 30$ per month. Today, the cost is 10 times cheap­er and the infra­struc­ture is reli­able and scalable.

There are lots of advan­tage in hav­ing your web­site host­ed on a vir­tu­al pri­vate serv­er how­ev­er, there is one draw­back which I see is man­ag­ing and main­tain­ing the serv­er by your­self. Hon­est­ly, main­tain­ing a web­site is not an easy task. Apart from pub­lish­ing qual­i­ty con­tents, you also have to take care of secu­ri­ty, pri­va­cy, updates to the Joom­la sys­tem and the under­ly­ing sys­tems like PHP. With any vir­tu­al pri­vate serv­er, you have to main­tain the serv­er and it is time consuming.

Your web­site is incom­plete with­out HTTPS. Search engines pre­fer and rank based on HTTPS so that is anoth­er rea­son to enable HTTPS on your website.

What is HTTPS #

In sim­ple term, HTTPS is a pro­to­col which pro­vides secure(encrypted) com­mu­ni­ca­tion or data trans­fer over the network(internet). For web­sites, the encryp­tion is pro­vid­ed through Secure Sock­et Layer(SSL). The rea­son to use HTTPS in your web­site is to pro­vide authen­ti­ca­tion of the accessed data like user pro­file infor­ma­tion which includes email and pro­tec­tion of the pri­va­cy and integri­ty of the exchanged data.

How do you iden­ti­fy whether HTTPS is enabled in any web­site. You can see a green pad­lock before the web­site address as shown

ssl

In the old­en days or even these days, we have to pur­chase the SSL cer­tifi­cate to enable HTTPS. But today, we can get it for free thanks to Let’s Encrypt!

What is Let’s Encrypt #

Let’s Encrypt is a free, auto­mat­ed, and open cer­tifi­cate author­i­ty (CA), run for the public’s ben­e­fit. It is a ser­vice pro­vid­ed by the Inter­net Secu­ri­ty Research Group (ISRG). It is a Lin­ux foun­da­tion col­lab­o­ra­tive project to cre­ate a more secure and pri­va­cy-respect­ing Web.

If you like to learn more, head over to Let’s Encrypt web­site.

In Ama­zon Light­sail, you can get a pre-con­fig­ured images by bit­na­mi or any lin­ux servers. The steps to install the SSL cer­tifi­cate is the same for all server.

Use the Bit­na­mi auto-con­fig­u­ra­tion script #

If you have the lat­est bit­na­mi stack, look for the script in the /​opt/​bitnami/​letsencrypt/​direc­to­ry. Bit­na­mi has includ­ed a small tool to make the process eas­i­er for us.

Exe­cute the fol­low­ing com­mand to auto-con­fig­ure a Let’s Encrypt cer­tifi­cate in your stack for a domain, both with and with­out the www pre­fix. Replace the YOUR­MAIL and YOUR­DO­MAIN place­hold­ers with your cur­rent email and with the domain name.


sudo /opt/bitnami/letsencrypt/scripts/generate-certificate.sh -m YOURMAIL -d YOURDOMAIN -d www.YOURDOMAIN

Man­u­al instal­la­tion of the Let’s Encrypt SSL cer­tifi­cate #

These are the list of avail­able ACME clients with which you can install the SSL certificates.

Install the Lego client #

The Lego client sim­pli­fies the process of obtain­ing Let’s Encrypt cer­tifi­cate. First, we need to down­load the lego client. Login to your serv­er and run the fol­low­ing com­mands. Don’t for­get to replace the X, Y, Z in lego_vX.Y.Z_linux_amd64 with the recent ver­sion of lego client. To find the lat­est ver­sion go to lego github repository.


cd /tmp
curl -s https://api.github.com/repos/xenolf/lego/releases/latest | grep browser_download_url | grep linux_amd64 | cut -d '"' -f 4 | wget -i -
tar xf lego_vX.Y.Z_linux_amd64.tar.gz
sudo mv lego /usr/local/bin/lego

Run lego client to obtain Let’s Encrypt SSL cer­tifi­cate #

Once you have down­loaded and installed the lego client suc­cess­ful­ly, we will gen­er­ate the Let’s Encrypt cer­tifi­cate for your domain. Stop all the ser­vices in bit­na­mi stack using the fol­low­ing com­mand. If you are using any oth­er image, stop the httpd, data­base and PHP.


sudo /opt/bitnami/ctlscript.sh stop

Run the fol­low­ing com­mand to request a new cer­tifi­cate for your domain. As a best prac­tice, always request for a new cer­tifi­cate with and with­out www. Remem­ber to replace the DOMAIN place­hold­er with your actu­al domain name, and the EMAIL-ADDRESS place­hold­er with your email address.


sudo lego --email="EMAIL-ADDRESS" --domains="DOMAIN" --domains="www.DOMAIN" --path="/etc/lego" run

if you have done every­thing cor­rect­ly, it will ask you to agree to the terms and con­di­tions. Once done, a set of cer­tifi­cates will now be gen­er­at­ed in the /​etc/​lego/​certificates direc­to­ry. This set includes the serv­er cer­tifi­cate file DOMAIN.crt and the serv­er cer­tifi­cate key file DOMAIN.key.

Con­fig­ure the Web serv­er to use the Let’s Encrypt cer­tifi­cate #

It is best to cre­ate a link to the cer­tifi­cate in apache fold­er rather than mov­ing or copy­ing the certificates.

Run the fol­low­ing com­mand to take back­up of any exist­ing or default cer­tifi­cate that comes with the bit­na­mi image or any oth­er image.


sudo mv /opt/bitnami/apache2/conf/server.crt /opt/bitnami/apache2/conf/server.crt.old
sudo mv /opt/bitnami/apache2/conf/server.key /opt/bitnami/apache2/conf/server.key.old
sudo mv /opt/bitnami/apache2/conf/server.csr /opt/bitnami/apache2/conf/server.csr.old

Run the fol­low­ing com­mand to cre­ate a link to the cer­tifi­cate and the key


sudo ln -s /etc/lego/certificates/DOMAIN.key /opt/bitnami/apache2/conf/server.key
sudo ln -s /etc/lego/certificates/DOMAIN.crt /opt/bitnami/apache2/conf/server.crt

Run the fol­low­ing com­mand to change the file per­mis­sions so it can be read by root user only.


sudo chown root:root /opt/bitnami/apache2/conf/server*
sudo chmod 600 /opt/bitnami/apache2/conf/server*

Once every­thing is done, restart the apache ser­vices using the fol­low­ing com­mand for bit­na­mi images


sudo /opt/bitnami/ctlscript.sh start

Ver­i­fy the cer­tifi­cate con­fig­u­ra­tion #

Open a new brows­er win­dow and type in https://DOMAIN and https://www.DOMAIN (replace the DOMAIN place­hold­er with the your domain name). You should see a green pad­lock icon next to your domain name and if you click on it, a small win­dow open which says secure con­nec­tion” Ver­i­fied by Let’s Encrypt”.

verify ssl

Renew the Let’s Encrypt cer­tifi­cate auto­mat­i­cal­ly #

Now that you have installed and con­fig­ured the Lets Encrypt cer­tifi­cate cor­rect­ly, you need to renew the SSL cer­tifi­cate every 90 days.

Lets auto­mate the process by cre­at­ing a script which can run every 90 days or 30 days as per your sched­ule. Go to /​etc/​lego/​. If you have per­mis­sion issues access­ing /​etc/​lego, login as root user. Cre­ate a script and name it renew​-cer​tifi​cate​.sh and type in the fol­low­ing lines. Remem­ber to replace the email address and domain name.


  #!/bin/bash
 
sudo /opt/bitnami/ctlscript.sh stop
sudo /usr/local/bin/lego --email="EMAIL-ADDRESS" --domains="DOMAIN" --path="/etc/lego" renew
sudo /opt/bitnami/ctlscript.sh start

Make the script exe­cutable using the command


chmod +x /etc/lego/renew-certificate.sh

Type in the fol­low­ing com­mand to open the crontab edi­tor to sched­ule the script.


sudo crontab -e

Add the fol­low­ing line in the crontab file to sched­ule the script to run 1st of every month.


0 0 1 * * /etc/lego/renew-certificate.sh 2> /dev/null

By fol­low­ing these steps you can set up Let’s Encrypt SSL cer­tifi­cate which is valid for 90 days. You can either renew it every 30 days or at the end of 90 days peri­od. Please com­ment if you need any help.