Enable SSL certificate for AWS EC2 WordPress blog site

Here we are going to show, how we enabled the SSL certificate i.e. routed traffic through the https by default, for our WordPress blog site which is hosted in AWS EC2 node.

Current details of our WordPress blog site :

  • Hosted in : Amazon Web Services (AWS EC2)
  • Operating System : Ubuntu 18.04.4 LTS (Bionic Beaver)
  • Web Server : Apache

Here it is visible that the site is Not Secure ie there is no pad lock sign visible.

Before starting to enable the SSL certificate, here we will ensure that we have site config file present under the site-available apache’s directory.

root@FlyWithEdu:~# ls -lrth /etc/apache2/sites-available/|grep -i flywithedu
-rw-r--r-- 1 root root 604 May 19 17:36 flywithedu.com.conf
root@FlyWithEdu:~# cat /etc/apache2/sites-available/flywithedu.com.conf
<VirtualHost *:80>
    ServerName flywithedu.com
    ServerAlias www.flywithedu.com
    ServerAdmin webmaster@example.com
    DocumentRoot /var/www/flywithedu

    <Directory /var/www/flywithedu>
        Options -Indexes +FollowSymLinks
        AllowOverride All
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/flywithedu.com-error.log
    CustomLog ${APACHE_LOG_DIR}/flywithedu.com-access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =flywithedu.com [OR]
RewriteCond %{SERVER_NAME} =www.flywithedu.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

Step 1 : Install certbot

root@FlyWithEdu:~# add-apt-repository ppa:certbot/certbot
root@FlyWithEdu:~# apt install python-certbot-apache

Step 2: Enable 443 port access in security group

As We are using the amazon web services EC2 instance for hosting, We have enabled 443 (HTTPS) port access under Inbound rules of security group.

Step 3: Generate SSL Certificate

root@FlyWithEdu:~# certbot --apache -d flywithedu.com

Once we receive below prompt, we choose the 2nd option to redirect all traffic to https.

Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/flywithedu.com-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

At the end, we have below message to verify our SSL certificate detail which confirm us the SSL is enabled and valid.

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=flywithedu.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Also, you will notice that there is “let’s encrypt” config file already created to route traffic through the SSL on 443 port.

root@FlyWithEdu:~# ls -lrth /etc/apache2/sites-available/ | grep -i fly
-rw-r--r-- 1 root root 604 May 19 17:36 flywithedu.com.conf
-rw-r--r-- 1 root root 645 Jul 12 06:29 flywithedu.com-le-ssl.conf

root@FlyWithEdu:~# ls -lrth /etc/apache2/sites-enabled/ | grep -i fly
lrwxrwxrwx 1 root root 38 May 19 17:30 flywithedu.com.conf -> ../sites-available/flywithedu.com.conf
lrwxrwxrwx 1 root root 55 May 19 17:36 flywithedu.com-le-ssl.conf -> /etc/apache2/sites-available/flywithedu.com-le-ssl.conf
root@FlyWithEdu:~#
root@FlyWithEdu:/etc/apache2/sites-available# cat flywithedu.com-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName flywithedu.com
    ServerAlias www.flywithedu.com
    ServerAdmin webmaster@example.com
    DocumentRoot /var/www/flywithedu

    <Directory /var/www/flywithedu>
        Options -Indexes +FollowSymLinks
        AllowOverride All
    </Directory>

    ErrorLog ${APACHE_LOG_DIR}/flywithedu.com-error.log
    CustomLog ${APACHE_LOG_DIR}/flywithedu.com-access.log combined


Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/flywithedu.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/flywithedu.com/privkey.pem
</VirtualHost>
</IfModule>
root@FlyWithEdu:/etc/apache2/sites-available#

How to renew SSL certificate?

Here once you will check your certificate details on https://www.ssllabs.com/ssltest , you will notice that the certificate has been generated for only 90 days. So here no need to worries because certbot auto create and config cron file to renew the SSL certificates which runs twice in a days and will renew once the SSL certificate expiration is due to 30 days.

root@FlyWithEdu:/etc/cron.d# cat /etc/cron.d/certbot
# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc.  Renewal will only occur if expiration
# is within 30 days.
#
# Important Note!  This cronjob will NOT be executed if you are
# running systemd as your init system.  If you are running systemd,
# the cronjob.timer function takes precedence over this cronjob.  For
# more details, see the systemd.timer manpage, or use systemctl show
# certbot.timer.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system &amp;&amp; perl -e 'sleep int(rand(43200))' &amp;&amp; certbot -q renew
root@FlyWithEdu:/etc/cron.d#

If you want to forcefully renew your certificates even though it is not near line of the due date of expiration then you can run below command.

root@FlyWithEdu:~# certbot --apache -d flywithedu.com

Below you can choose option 2 to renew your certificates. Note : Here we are allowed to renew only 5 times certificates within the 7 days.

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew &amp; replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

Please follow us in Feedspot.com where we are listed under the “Top 10 AWS Blogs, Websites & Influencers in 2020”.


Leave a Reply