Hướng dẫn cài đặt Certbot trên Amazon EC2 mới nhất 2021

Amazon Linux 2 là thế hệ tiếp theo của Amazon Linux, một hệ điều hành máy chủ Linux từ Amazon Web Services (AWS). Amazon Linux 2 cung cấp một môi trường Linux hiệu suất cao phù hợp với các tổ chức thuộc mọi quy mô. Nó hỗ trợ các ứng dụng khác nhau, từ các trang web nhỏ đến các nền tảng quan trọng cấp doanh nghiệp.

Amazon Linux 2 bao gồm hỗ trợ cho ngăn xếp LAMP (Linux / Apache / MariaDB / PHP), một trong những nền tảng phổ biến nhất để triển khai các trang web. Để bảo mật việc truyền dữ liệu đang chuyển tới các trang web như vậy và ngăn chặn việc nghe trộm, các tổ chức thường sử dụng các dịch vụ Bảo mật lớp cổng bảo mật / Lớp truyền tải (SSL / TLS) sử dụng chứng chỉ để cung cấp mã hóa. Ngăn xếp LAMP do Amazon Linux 2 cung cấp bao gồm chứng chỉ SSL / TLS tự ký. Các chứng chỉ này có thể phù hợp để sử dụng nội bộ nhưng không được chấp nhận khi được cơ quan cấp chứng chỉ yêu cầu chứng thực.

Trong bài đăng này, tôi thảo luận về cách mở rộng khả năng của Amazon Linux 2 bằng cách cài đặt Let’s Encrypt, cơ quan cấp chứng chỉ do Nhóm nghiên cứu bảo mật Internet cung cấp. Let’s Encrypt cung cấp miễn phí chứng chỉ SSL / TLS cơ bản cho máy chủ DNS mà bạn có thể sử dụng để thêm mã hóa trong quá trình truyền vào một máy chủ web. Đối với cấu hình thương mại hoặc nhiều máy chủ, bạn nên xem xét Trình quản lý chứng chỉ AWS và Cân bằng tải đàn hồi.

Let’s Encrypt cũng yêu cầu gói certbot mà bạn cài đặt từ EPEL, bộ sưu tập Extra Packaged for Enterprise Linux. Mặc dù EPEL không được bao gồm trong Amazon Linux 2, tôi chỉ cho bạn cách bạn có thể cài đặt nó từ Dự án Fedora.

Walkthrough

At a high level, you perform the following tasks for this walkthrough:

1. Provision a VPC, Amazon Linux 2 instance, and LAMP stack.
2. Install and enable the EPEL repository.
3. Install and configure Let’s Encrypt.
4. Validate the installation.
5. Clean up.

Prerequisites and costs

• To follow along with this walkthrough, you need the following:
• An AWS account that provides access to Amazon EC2 and Amazon VPC.
• An Amazon EC2 key pair.
• A program such as PuTTY that allows you to connect to the Amazon Linux 2 instance using the SSH protocol.
• Working knowledge of Amazon EC2 and Amazon VPC.
• The ability to configure DNS entries for a host domain.

You may incur charges for the resources you use including, but not limited to, the Amazon EC2 instance and the associated network charges.

Step 1: Provision a VPC, Amazon Linux 2 instance, and LAMP stack

1. Create a VPC with a single public subnet, a routing table, and an internet gateway.
2. Launch an Amazon Linux 2 instance in the VPC that you just created. Make sure that you do the following:
   1. Select the Amazon Linux 2 AMI.
   2. Choose t2.micro for the instance type.
   3. Accept all other default values including with regard to storage.
   4. Create a new security group and accept the default rule that allows TCP port 22 (SSH) from everywhere (0.0.0.0/0 in IPv4). For the purposes of this walkthrough, permitting access from all IP addresses is reasonable. In a production environment, you may restrict access to different addresses.
3. Allocate and associate an Elastic IP address to the server when it enters the running state.
4. Install a LAMP stack.
5. Browse to the Elastic IP address that you just created and confirm that you can see the Apache test page, as illustrated below.

Step 2: Install and enable EPEL

1. Connect to your Amazon Linux 2 instance at the Elastic IP address that you just created.
2. Download and install the EPEL repository using the following commands:

   cd /tmp wget -O epel.rpm –nv \ 
   https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm 
   sudo yum install -y ./epel.rpm

   Bash

   Respond “Y” to all requests for approval to install the software.

Amazon Linux 2

Install the EPEL release package for RHEL 7 and enable the EPEL repository.

sudo amazon-linux-extras install epel -y

Amazon Linux Amazon Machine Image (AMI):

The EPEL repository is already installed on the original version of Amazon Linux, but you must enable it. You can enable this repository either by using the yum-config-manager command or by editing the epel.repo file.

sudo yum-config-manager --enable epel

Step 3: Install and configure Let’s Encrypt

1. If you are no longer connected to the Amazon Linux 2 instance, connect to it at the Elastic IP address that you just created.
2. Install certbot, the Let’s Encrypt client to be used to obtain an SSL/TLS certificate and install it into Apache.

   sudo yum install python2-certbot-apache.noarch

   Bash

   Respond “Y” to all requests for approval to install the software.
   If you see a message appear about SELinux, you can safely ignore it. This is a known issue with the latest version of certbot.

3. Create a DNS “A record” that maps a host name to the Elastic IP address. For this post, assume that the name of the host is lamp.example.com. If you are hosting your DNS in Amazon Route 53, do this by creating the appropriate record set.
4. After the “A record” has propagated, browse to lamp.example.com. The Apache test page should appear. If the page does not appear, use a tool such as nslookup on your workstation to confirm that the DNS record has been properly configured.
5. You are now ready to install Let’s Encrypt. Let’s Encrypt does the following:
   • Confirms that you have control over the DNS domain being used, by having you create a DNS TXT record using the value that it provides.
   • Obtains an SSL/TLS certificate.
   • Modifies the Apache-related scripts to use the SSL/TLS certificate and redirects users browsing the site in HTTP mode to HTTPS mode.
6. Use the following command to install certbot:

   sudo certbot -i apache -a manual \ --preferred-challenges dns -d lamp.example.com

   Bash

   The options have the following meanings:

   -i apache Use the Apache installer. -a manual Authenticate domain ownership manually. --preferred-challenges dns Use DNS TXT records for authentication challenge. -d lamp.example.com Specify the domain for the SSL/TLS certificate.

   Bash

7. You are prompted for the following information:
   E-mail address for renewals?                Enter an email address for certificate renewals.
   Accept the terms of services?               Respond as appropriate.
   Send your e-mail address to the EFF?    Respond as appropriate.
   Log your current IP address?                Respond as appropriate.
8. You are prompted to deploy a DNS TXT record with the name “_acme-challenge.lamp.example.com” with the supplied value, as shown below.
9. After you enter the record, wait until the TXT record propagates. To look up the TXT record to confirm the deployment, use the nslookup command in a separate command window, as shown below. Remember to use the set ty=txt command before entering the TXT record.
   You are prompted to select a virtual host. There is only one, so choose 1. The final prompt asks whether to redirect HTTP traffic to HTTPS. To perform the redirection, choose 2. That completes the configuration of Let’s Encrypt.
10. To enable HTTPS (TCP port 443) traffic, add a rule to the security group for your Amazon Linux 2 instance.

Step: 4:  Validate the installation

1. Browse to the http:// lamp.example.com site. You are redirected to the SSL/TLS page https://lamp.example.com.
2. To look at the encryption information, use the appropriate actions within your browser. For example, in Firefox, you can open the padlock and traverse the menus.
   In the encryption technical details, you can see from the “Connection Encrypted” line that traffic to the website is now encrypted using TLS 1.2.

Security note:  As of the time of publication, this website also supports TLS 1.0. I recommend that you disable this protocol because of some known vulnerabilities associated with it. To do this:

1. Edit the file /etc/letsencrypt/options-ssl-apache.conf.
2. Look for the line beginning with SSLProtocol and change it to the following:

   SSLProtocol   all -SSLv2 -SSLv3 -TLSv1

   Bash

3. Save the file. After you make changes to this file, Let’s Encrypt no longer automatically updates it. Periodically check your log files for recommended updates to this file.
4. Restart the httpd server with the following command:

   sudo service httpd restart

   Bash

Step 5: Cleanup

Use the following steps to avoid incurring any further costs.

1. Terminate the Amazon Linux 2 instance that you created.
2. Release the Elastic IP address that you allocated.
3. Revert any DNS changes that you made, including the A and TXT records.

Conclusion

Amazon Linux 2 là một lựa chọn tuyệt vời để lưu trữ các trang web thông qua ngăn xếp LAMP được cung cấp bởi tính năng Amazon-Linux-Extras. Sau đó, bạn có thể tăng cường bảo mật của máy chủ web Apache bằng cách cài đặt EPEL và Let’s Encrypt. Let’s Encrypt cung cấp chứng chỉ SSL / TLS, tùy chọn cài đặt chứng chỉ đó cho bạn trên máy chủ Apache và cho phép mã hóa dữ liệu trong quá trình chuyển tiếp.