Setup Bitnami Redmine on AWS & certbot(Let's Encrypt)

redmine-https-aws.md

[WIP]Setup Bitnami Redmine on AWS & certbot(Let's Encrypt)

Note: Created at 2016/08/07

Todos

• Automation refresh by cron

References

• Let's Encrypt
  • https://letsencrypt.org/
  • https://letsencrypt.jp/usage/
  • https://http2.try-and-test.net/letsencrypt.html
• Bitnami Redmine
  • https://bitnami.com/stack/redmine/installer
  • http://qiita.com/SYABU555/items/916d27313e6d82041f6b

Procedures

AWS

• Create EC2 Instance
  • Search AMI "Bitnami Redmine"
  • t1.micro, Ubuntu(x64)
  • Public IP Address is required
• Create DNS record on route53
• Show SystemLog for Instance

#########################################################################
#                                                                       #
#        Setting Bitnami application password to 'Spxxxxxxxxxx'         #
#                                                                       #
#########################################################################

• Login EC2 by SSH

Ubuntu

• Run test for certbot

# Download
git clone https://github.com/certbot/certbot

# Run test
cd certbot
./certbot-auto
...
Do you want to continue? [Y/n] Y
...
Installation succeeded.
Requesting root privileges to run certbot...
  /home/bitnami/.local/share/letsencrypt/bin/letsencrypt
No installers seem to be present and working on your system; fix that or try running certbot with the "certonly" command

• Get SSL/TLS Server Certificate
  • Required register DNS Record for host where running command.

# Stop http server (and more)
sudo ~/stack/ctlscript.sh stop

# Get certificate
sudo ./certbot-auto certonly --standalone -d redmine.betahikaru.com
...(TUI)...
(Enter E-mail address)
(Enter on [Agree])
# If you success, you can show following messages.
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
 /etc/letsencrypt/live/redmine.betahikaru.com/fullchain.pem. Your
 cert will expire on 2016-MM-DD. To obtain a new or tweaked version
 of this certificate in the future, simply run certbot-auto again.
 To non-interactively renew *all* of your certificates, run
 "certbot-auto renew"
- If you like Certbot, please consider supporting our work by:

 Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 Donating to EFF:                    https://eff.org/donate-le

# Start http server (and more)
sudo ~/stack/ctlscript.sh start

• Check pem files exists

  • /etc/letsencrypt/live/redmine.betahikaru.com/cert.pem
  • /etc/letsencrypt/live/redmine.betahikaru.com/chain.pem
  • /etc/letsencrypt/live/redmine.betahikaru.com/fullchain.pem
  • /etc/letsencrypt/live/redmine.betahikaru.com/privkey.pem

• Setup SSL on Apache

  • Edit Server Name

ServerName redmine.betahikaru.com

• Check apache2 version

bitnami@ip-172-31-0-176:~$ /opt/bitnami/apache2/bin/apachectl -v
Server version: Apache/2.4.20 (Unix)
Server built:   Jun 27 2016 03:00:49

• Edit setting for SSL
  • Case of Bitnami Redmine v3.3.0 , edit /opt/bitnami/apache2/conf/bitnami/bitnami.conf
  • Specify privkey.pem at SSLCertificateKeyFile.
  • If apache2 version >= 2.4.8, Not specify SSLCertificateChainFile. Else, specify chain.pem.
  • If apache2 version >= 2.4.8, Use fullchain.pem at SSLCertificateFile. Else, specify cert.pem.

 ...
 
 Listen 443
 SSLProtocol all -SSLv2 -SSLv3
 SSLHonorCipherOrder on
 SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !EDH !RC4"
 SSLPassPhraseDialog  builtin
 SSLSessionCache "shmcb:/opt/bitnami/apache2/logs/ssl_scache(512000)"
 SSLSessionCacheTimeout  300
 
 <VirtualHost _default_:443>
   DocumentRoot "/opt/bitnami/apache2/htdocs"
   SSLEngine on
 
-  SSLCertificateFile "/opt/bitnami/apache2/conf/server.crt"
-  SSLCertificateKeyFile "/opt/bitnami/apache2/conf/server.key"
 
+  SSLCertificateFile "/etc/letsencrypt/live/redmine.betahikaru.com/fullchain.pem"
+  ##for old apache## SSLCertificateFile "/etc/letsencrypt/live/redmine.betahikaru.com/cert.pem"
+  SSLCertificateKeyFile "/etc/letsencrypt/live/redmine.betahikaru.com/privkey.pem"
+  ##for old apache## SSLCertificateChainFile "/etc/letsencrypt/live/redmine.betahikaru.com/chain.pem"
 
 ...

• Restart apache

sudo ~/stack/ctlscript.sh restart apache

• Check VirtualHost Setting
  • Edit 2 shell files
    • ~/stack/ctlscript.sh

    else
        help
    fi
+elif [ "x$1" = "xvhost" ]; then
+    $APACHE_SCRIPT vhost
 elif [ "x$1" = "xstop" ]; then

• /apache2/scripts/ctl.sh

         ERROR=4
     fi
 }
+show_vhost_apache() {
+    test_apache_config
+    is_apache_running
+    RUNNING=$?
+    $HTTPD -S
+}
+
 cleanpid() {
     rm -f $HTTPD_PIDFILE
 }
 
 if [ "x$1" = "xstart" ]; then
     start_apache
 elif [ "x$1" = "xstop" ]; then
     stop_apache
 elif [ "x$1" = "xstatus" ]; then
     is_apache_running
     echo "$HTTPD_STATUS"
 elif [ "x$1" = "xcleanpid" ]; then
     cleanpid
+elif [ "x$1" = "xvhost" ]; then
+    show_vhost_apache
 fi

• Run sudo ~/stack/ctlscript.sh vhost

$ sudo ~/stack/ctlscript.sh vhost
Syntax OK
VirtualHost configuration:
*:80                   redmine.betahikaru.com (/opt/bitnami/apache2/conf/bitnami/bitnami.conf:8)
*:443                  redmine.betahikaru.com (/opt/bitnami/apache2/conf/bitnami/bitnami.conf:43)
ServerRoot: "/opt/bitnami/apache2"
Main DocumentRoot: "/opt/bitnami/apache2/htdocs"
Main ErrorLog: "/opt/bitnami/apache2/logs/error_log"
Mutex proxy-balancer-shm: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/opt/bitnami/apache2/logs/" mechanism=default
PidFile: "/opt/bitnami/apache2/logs/httpd.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
Define: USE_PHP_FPM
User: name="daemon" id=1
Group: name="daemon" id=1

Thank you man. Helped me a lot.

I try dry-run option and the update is ok
certbot renew --dry-run --pre-hook "/opt/bitnami/ctlscript.sh stop apache" --post-hook "/opt/bitnami/ctlscript.sh start apache"
Saving debug log to /var/log/letsencrypt/letsencrypt.log

---

Processing /etc/letsencrypt/renewal/MYWEBSITE.conf

Attempting to parse the version 0.11.1 renewal configuration file found at /etc/letsencrypt/renewal/MYWEBSITE.conf with version 0.9.3 of Certbot. This might not work.
Cert not due for renewal, but simulating renewal for dry run
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Running pre-hook command: /opt/bitnami/ctlscript.sh stop apache
Error output from None:
Syntax OK

Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for MYWEBSITE
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0001_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0001_csr-certbot.pem
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/MYWEBSITE/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
Running post-hook command: /opt/bitnami/ctlscript.sh start apache
Error output from None:
Syntax OK

i followed the above process to create a new cerficiate but i am unable to renew, can you share the snippet to do renew the certificate as well, it will help us a lot