Free SSL Certificates In The Oracle Cloud Using CertBot And Let's Encrypt

If you're deploying your web site or application on the Oracle Cloud, chances are pretty high that you're going to be using HTTPS to secure your connections. And if you're not deploying your site with HTTPS, you should be. Most browsers nowadays will flag your HTTP only site as "Not Secure" which means the data that you enter on such sites can be easily intercepted by someone listening.

To illustrate this point really simply, take a simple login form on an insecure (HTTP) site. When we post our login form on this site, all of the data that we send through with that request is sent in plain text. This means that anyone who may be "listening" on that network can easily see your credentials.
But when we use TLS (HTTPS) to post that form, the data is encrypted so that it is protected in transport. Someone listening in on this "conversation" would hear total gibberish.
Of course, I'm greatly simplifying things here to illustrate my point, but in practice this is exactly why you should be using HTTPS on all of your sites and applications. 
Clearly, we want to use SSL/TLS, so the next question is: how? For this we need to get a certificate and configure our application to use that cert. To generate our cert we'll be using a program called CertBot that generates a free cert via a service called Let's Encrypt. There aren't a lot of steps to do this, but in my personal experience it can be tricky to get working in certain environments and with certain application deployment strategies. In this guide I'll show you how to install CertBot in an Oracle Linux instance in the Oracle Cloud. You might be using an "always free" VM, or any other shape - it doesn't matter. Follow the instructions below and get your cert generated, setup for automatic renewal and deployed to your site in minutes.
But I'm Not Using Oracle Linux!  That's totally cool - we offer many other OS images and the steps below should work for pretty much any *nix variant since we're using the generic instructions from CertBot that aren't specific to a certain distribution.
Here are the steps we'll take. If you need to jump past a section, use the links below.

Create Your VM

To create an "always free" VM, click 'Create a VM instance' from the Oracle Cloud console.
Give your instance a name and choose the image source. 
Make sure the Availability Domain and Instance Type are both "always free eligible".
As well as the instance shape.
Make sure 'Assign a public IP address' is selected (it is not selected by default):
Add a public SSH key.
Click 'Create' and your VM will be shown in a 'Provisioning' state:
When it is provisioned, grab your public IP:

Before You Get Started

Before you can create a certificate for your application, you'll need a domain name to be associated with your public IP address. Follow the instructions for your domain name host to point a domain name at your public IP.  Here's what that might look like using Route 53:
Before we move on, make sure that port 80 is open in your security list and in the VM firewall. CertBot will need this open to verify your machine during certificate creation.
From the VM details page, click on the subnet:
Choose 'Security Lists' from the subnet details sidebar:
Select the security list:
And add an ingress rule for port 80:
Next, run the following to open up port 80 on the VM firewall:
sudo firewall-cmd --permanent --zone=public --add-port=80/tcp
sudo firewall-cmd —reload
view rawfirewall.sh hosted with ❤ by GitHub
 

Installing CertBot

Heads Up! If you've skipped ahead, are you sure that port 80 is open on the VM and in your VM's security list?
We can now SSH in to our VM and begin the install process for CertBot. As I mentioned above, we'll use the generic "Other UNIX" instructions from CertBot to avoid any potential issues that may arise with distribution specific installations. 
Run the following commands to install CertBot:
wget https://dl.eff.org/certbot-auto
sudo mv certbot-auto /usr/local/bin/certbot-auto
sudo chown root /usr/local/bin/certbot-auto
sudo chmod 0755 /usr/local/bin/certbot-auto
view rawinstall-certbot.sh hosted with ❤ by GitHub
You're now ready to create a cert.

Creating A Certificate

Since we haven't yet installed a webserver, let's run CertBot in standalone mode. It will spin up a temporary webserver during this process:
sudo /usr/local/bin/certbot-auto certonly --standalone
view rawrun-certbot.sh hosted with ❤ by GitHub
The first time you run CertBot you'll need to provide some info that is used when the cert is generated:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o:
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): node-red.toddrsharp.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for node-red.toddrsharp.com
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/node-red.toddrsharp.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/node-red.toddrsharp.com/privkey.pem
Your cert will expire on 2020-01-20. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
view rawcertbot-email.sh hosted with ❤ by GitHub
Congrats, you've generated your free certificate! Now, let's move the new certs to another directory. In this example, I'm going to use the cert to secure an instance of Node-RED that I have spun up in an "always free" VM, so I'll move them to the proper directory for that:
mkdir ~/.node-red/certs
cp  /etc/letsencrypt/live/node-red.toddrsharp.com/*.pem /home/opc/.node-red/certs/
view rawmove-certs.sh hosted with ❤ by GitHub
We'll want this to happen every time the certs are renewed, so create a script at /etc/letsencrypt/renewal-hooks/deploy/copy-certs and populate it with the script below. Files contained in the "deploy" directory will be executed after each successful renewal.
#!/bin/bash
domain=[your domain name]
node_dir=/path/to/cert/copy/dir
node_user=opc
cp /etc/letsencrypt/live/$domain/*.pem "$node_dir"/
chown $node_user "$node_dir"/*.pem
view rawdeploy.sh hosted with ❤ by GitHub
Now let's schedule the cert to automatically renew before it expires.

Scheduling Certificate Renewal

Scheduling renewal is easy. Create a CRON task to run CertBot:
echo "0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && /usr/local/bin/certbot-auto renew" | sudo tee -a /etc/crontab > /dev/null
view rawrenew.sh hosted with ❤ by GitHub
If you want to stop a running webserver before renewal and start it after renewal, use --pre-hook and --post-hook:
echo "0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && /usr/local/bin/certbot-auto renew --pre-hook 'node-red-stop' --post-hook 'node-red-start'" | sudo tee -a /etc/crontab > /dev/
view rawrenew-hooks.sh hosted with ❤ by GitHub
Your certs will now be automatically renewed!

Deploying A Site With Your New Certificate

This step can vary widely depending on your application and how it is deployed, but essentially at this point you have legitimate certificates that can be used with your application. Since I recently blogged about creating an instance of Node-RED, let's take a look at how you might use these certs to secure a Node-RED instance.
Find your settings.js file - with a default install it will be located at ~/.node-red/settings.js. Open this file up and make the changes below.
Step 1:  Uncomment to include the 'fs' module:
var fs = require("fs");
view rawfs.js hosted with ❤ by GitHub
Step 2: Uncomment the https object and update the paths for the key and cert to point at our new cert:
https: {
    key: fs.readFileSync('/home/opc/.node-red/certs/privkey.pem'),
    cert: fs.readFileSync('/home/opc/.node-red/certs/cert.pem')
},
view rawhttps.js hosted with ❤ by GitHub
Step 3:  Uncomment (if necessary) and update the requireHttps value to be true. You can now restart node-red and your instance will be running on HTTPS!

Footnote

Note:  You may have come across this guide in the past when trying to configure your certs on Oracle Linux. Unfortunately, it seems that something has changed since that article was published. When you try and follow the instructions in Tim's post when using Oracle Linux 7.7 you'd end up with the following exception:
ImportError: 'pyOpenSSL' module missing required functionality. Try upgrading to v0.14 or newer.
Trying to resolve this issue only led to further issues with other Python dependencies, so I decided to follow the generic "Other UNIX" instructions via the CertBot site. This led to an error free install and seems to be the safest and most "future-proof" route for installing CertBot. 
Photo by James Sutton on Unsplash

Join the discussion

Comments

Popular posts from this blog

Flutter for Single-Page Scrollable Websites with Navigator 2.0

A Data Science Portfolio is More Valuable than a Resume

Better File Storage in Oracle Cloud