Skip to content

Instantly share code, notes, and snippets.

@betahikaru

betahikaru/redmine-https-aws.md

Last active September 6, 2020 04:03
Show Gist options
  • Save betahikaru/fcc6188f438fee21cc9b7e82432b0208 to your computer and use it in GitHub Desktop.
Save betahikaru/fcc6188f438fee21cc9b7e82432b0208 to your computer and use it in GitHub Desktop.
Download ZIP
Setup Bitnami Redmine on AWS & certbot(Let's Encrypt)
Raw
redmine-https-aws.md

[WIP]Setup Bitnami Redmine on AWS & certbot(Let's Encrypt)

Note: Created at 2016/08/07

Todos

  • Automation refresh by cron

References

Procedures

AWS

  • Create EC2 Instance
    • Search AMI "Bitnami Redmine"
    • t1.micro, Ubuntu(x64)
    • Public IP Address is required
  • Create DNS record on route53
  • Show SystemLog for Instance
#########################################################################
#                                                                       #
#        Setting Bitnami application password to 'Spxxxxxxxxxx'         #
#                                                                       #
#########################################################################
  • Login EC2 by SSH

Ubuntu

  • Run test for certbot
# Download
git clone https://github.com/certbot/certbot

# Run test
cd certbot
./certbot-auto
...
Do you want to continue? [Y/n] Y
...
Installation succeeded.
Requesting root privileges to run certbot...
  /home/bitnami/.local/share/letsencrypt/bin/letsencrypt
No installers seem to be present and working on your system; fix that or try running certbot with the "certonly" command
  • Get SSL/TLS Server Certificate
    • Required register DNS Record for host where running command.
# Stop http server (and more)
sudo ~/stack/ctlscript.sh stop

# Get certificate
sudo ./certbot-auto certonly --standalone -d redmine.betahikaru.com
...(TUI)...
(Enter E-mail address)
(Enter on [Agree])
# If you success, you can show following messages.
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
 /etc/letsencrypt/live/redmine.betahikaru.com/fullchain.pem. Your
 cert will expire on 2016-MM-DD. To obtain a new or tweaked version
 of this certificate in the future, simply run certbot-auto again.
 To non-interactively renew *all* of your certificates, run
 "certbot-auto renew"
- If you like Certbot, please consider supporting our work by:

 Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 Donating to EFF:                    https://eff.org/donate-le

# Start http server (and more)
sudo ~/stack/ctlscript.sh start

  • Check pem files exists

    • /etc/letsencrypt/live/redmine.betahikaru.com/cert.pem
    • /etc/letsencrypt/live/redmine.betahikaru.com/chain.pem
    • /etc/letsencrypt/live/redmine.betahikaru.com/fullchain.pem
    • /etc/letsencrypt/live/redmine.betahikaru.com/privkey.pem

  • Setup SSL on Apache

    • Edit Server Name
ServerName redmine.betahikaru.com
  • Check apache2 version
bitnami@ip-172-31-0-176:~$ /opt/bitnami/apache2/bin/apachectl -v
Server version: Apache/2.4.20 (Unix)
Server built:   Jun 27 2016 03:00:49
  • Edit setting for SSL
    • Case of Bitnami Redmine v3.3.0 , edit /opt/bitnami/apache2/conf/bitnami/bitnami.conf
    • Specify privkey.pem at SSLCertificateKeyFile.
    • If apache2 version >= 2.4.8, Not specify SSLCertificateChainFile. Else, specify chain.pem.
    • If apache2 version >= 2.4.8, Use fullchain.pem at SSLCertificateFile. Else, specify cert.pem.
 ...
 
 Listen 443
 SSLProtocol all -SSLv2 -SSLv3
 SSLHonorCipherOrder on
 SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !EDH !RC4"
 SSLPassPhraseDialog  builtin
 SSLSessionCache "shmcb:/opt/bitnami/apache2/logs/ssl_scache(512000)"
 SSLSessionCacheTimeout  300
 
 <VirtualHost _default_:443>
   DocumentRoot "/opt/bitnami/apache2/htdocs"
   SSLEngine on
 
-  SSLCertificateFile "/opt/bitnami/apache2/conf/server.crt"
-  SSLCertificateKeyFile "/opt/bitnami/apache2/conf/server.key"
 
+  SSLCertificateFile "/etc/letsencrypt/live/redmine.betahikaru.com/fullchain.pem"
+  ##for old apache## SSLCertificateFile "/etc/letsencrypt/live/redmine.betahikaru.com/cert.pem"
+  SSLCertificateKeyFile "/etc/letsencrypt/live/redmine.betahikaru.com/privkey.pem"
+  ##for old apache## SSLCertificateChainFile "/etc/letsencrypt/live/redmine.betahikaru.com/chain.pem"
 
 ...
  • Restart apache
sudo ~/stack/ctlscript.sh restart apache
  • Check VirtualHost Setting
    • Edit 2 shell files
      • ~/stack/ctlscript.sh
    else
        help
    fi
+elif [ "x$1" = "xvhost" ]; then
+    $APACHE_SCRIPT vhost
 elif [ "x$1" = "xstop" ]; then
  • /apache2/scripts/ctl.sh
         ERROR=4
     fi
 }
+show_vhost_apache() {
+    test_apache_config
+    is_apache_running
+    RUNNING=$?
+    $HTTPD -S
+}
+
 cleanpid() {
     rm -f $HTTPD_PIDFILE
 }
 
 if [ "x$1" = "xstart" ]; then
     start_apache
 elif [ "x$1" = "xstop" ]; then
     stop_apache
 elif [ "x$1" = "xstatus" ]; then
     is_apache_running
     echo "$HTTPD_STATUS"
 elif [ "x$1" = "xcleanpid" ]; then
     cleanpid
+elif [ "x$1" = "xvhost" ]; then
+    show_vhost_apache
 fi
  • Run sudo ~/stack/ctlscript.sh vhost
$ sudo ~/stack/ctlscript.sh vhost
Syntax OK
VirtualHost configuration:
*:80                   redmine.betahikaru.com (/opt/bitnami/apache2/conf/bitnami/bitnami.conf:8)
*:443                  redmine.betahikaru.com (/opt/bitnami/apache2/conf/bitnami/bitnami.conf:43)
ServerRoot: "/opt/bitnami/apache2"
Main DocumentRoot: "/opt/bitnami/apache2/htdocs"
Main ErrorLog: "/opt/bitnami/apache2/logs/error_log"
Mutex proxy-balancer-shm: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/opt/bitnami/apache2/logs/" mechanism=default
PidFile: "/opt/bitnami/apache2/logs/httpd.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
Define: USE_PHP_FPM
User: name="daemon" id=1
Group: name="daemon" id=1
@brunotriptribus
Copy link

Thank you man. Helped me a lot.

@undigo
Copy link

undigo commented Feb 3, 2017
edited
Loading

I try dry-run option and the update is ok
certbot renew --dry-run --pre-hook "/opt/bitnami/ctlscript.sh stop apache" --post-hook "/opt/bitnami/ctlscript.sh start apache"
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/MYWEBSITE.conf

Attempting to parse the version 0.11.1 renewal configuration file found at /etc/letsencrypt/renewal/MYWEBSITE.conf with version 0.9.3 of Certbot. This might not work.
Cert not due for renewal, but simulating renewal for dry run
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Running pre-hook command: /opt/bitnami/ctlscript.sh stop apache
Error output from None:
Syntax OK

Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for MYWEBSITE
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0001_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0001_csr-certbot.pem
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/MYWEBSITE/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
Running post-hook command: /opt/bitnami/ctlscript.sh start apache
Error output from None:
Syntax OK

@anush0247
Copy link

i followed the above process to create a new cerficiate but i am unable to renew, can you share the snippet to do renew the certificate as well, it will help us a lot

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment