Yesterday, we saw how to easily deploy Moodle to OCI with MDS.
Today we will see how to enable https to that new created Web site. In this post we use Moodle but it is exactly the same process for other solutions.
First thing to do is to register a dns name for the moodle instance that will point to the public IP of the Moodle Compute Instance:
For this example, I will use moodle.lefred.be.
The next step consists in connecting to the Moodle compute instance in SSH to generate the required SSL certificate. We first create a key file on our machine (laptop) in which we will paste the ssh_private_key that we can copy from the OCI Dashboard in the Resource Manager Stack’s output:
$ vi moodle.key
<-- we copy the content of the key -->
$ chmod 600 moodle.key
$ ssh -i moodle.key opc@moodle.lefred.be (or the public IP)
[opc@moodleserver1 ~]$Now we will use Letsencrypt‘s certbot to generate the certificate:
[opc@moodleserver1 ~]$ sudo certbot certonly -d moodle.lefred.be
Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator webroot, Installer None
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): xxxx@xxxx.xx
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
...
Account registered.
Requesting a certificate for moodle.lefred.be
Performing the following challenges:
http-01 challenge for moodle.lefred.be
Input the webroot for moodle.lefred.be: (Enter 'c' to cancel): /var/www/html
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/moodle.lefred.be/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/moodle.lefred.be/privkey.pem
Your certificate will expire on 2021-08-21. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew *all* of your
certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Yeah ! We have now a valid certificate we can use.
The first thing we gonna do is to force all requests to use https (but the challenge to renew the certificate). In /etc/httpd/httpd.conf we add the following lines:
RewriteEngine On
RewriteCond %{SERVER_NAME} =moodle.lefred.be
RewriteCond %{REQUEST_URI} !.well-known/acme-challenge
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [L,NE,R=permanent]
We can now reference the new generated certificate in /etc/httpd/conf.d/ssl.conf:
Under the commented line #ServerName www.example.com:443 we add:
ServerName moodle.lefred.be:443
And we replace the certificate locations to something like this:
SSLCertificateFile /etc/letsencrypt/live/moodle.lefred.be/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/moodle.lefred.be/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/moodle.lefred.be/chain.pem
Before restarting apache, we need to tell the Moodle to use the new name and https. In /var/www/html/config.php we change the value of $CFG->wwwroot:
$CFG->wwwroot = 'https://moodle.lefred.be';
It’s time now to restart Apache:
[opc@moodleserver1 ~]$ sudo systemctl restart httpdWe can finally open our Moodle site on our browser:
As you can see, it’s also very easy to use https with the applications we deployed on OCI.
