Enable https to our Moodle

Yesterday, we saw how to easily deploy Moodle to OCI with MDS.

Today we will see how to enable https to that new created Web site. In this post we use Moodle but it is exactly the same process for other solutions.

First thing to do is to register a dns name for the moodle instance that will point to the public IP of the Moodle Compute Instance:

For this example, I will use moodle.lefred.be.

The next step consists in connecting to the Moodle compute instance in SSH to generate the required SSL certificate. We first create a key file on our machine (laptop) in which we will paste the ssh_private_key that we can copy from the OCI Dashboard in the Resource Manager Stack’s output:

$ vi moodle.key
<-- we copy the content of the key -->
$ chmod 600 moodle.key
$ ssh -i moodle.key opc@moodle.lefred.be (or the public IP)
[opc@moodleserver1 ~]$

Now we will use Letsencrypt‘s certbot to generate the certificate:

[opc@moodleserver1 ~]$ sudo certbot certonly -d moodle.lefred.be
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): <strong>2</strong>
Plugins selected: Authenticator webroot, Installer None
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): xxxx@xxxx.xx            

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
...
Account registered.
Requesting a certificate for moodle.lefred.be
Performing the following challenges:
http-01 challenge for moodle.lefred.be
Input the webroot for moodle.lefred.be: (Enter 'c' to cancel): <strong>/var/www/html</strong>
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   <strong>/etc/letsencrypt/live/moodle.lefred.be/fullchain.pem</strong>
   Your key file has been saved at:
   <strong>/etc/letsencrypt/live/moodle.lefred.be/privkey.pem</strong>
   Your certificate will expire on 2021-08-21. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Yeah ! We have now a valid certificate we can use.

The first thing we gonna do is to force all requests to use https (but the challenge to renew the certificate). In /etc/httpd/httpd.conf we add the following lines:

RewriteEngine On
RewriteCond %{SERVER_NAME} =moodle.lefred.be
RewriteCond %{REQUEST_URI} !.well-known/acme-challenge
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [L,NE,R=permanent]

We can now reference the new generated certificate in /etc/httpd/conf.d/ssl.conf:

Under the commented line #ServerName www.example.com:443 we add:

ServerName moodle.lefred.be:443

And we replace the certificate locations to something like this:

SSLCertificateFile /etc/letsencrypt/live/moodle.lefred.be/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/moodle.lefred.be/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/moodle.lefred.be/chain.pem

Before restarting apache, we need to tell the Moodle to use the new name and https. In /var/www/html/config.php we change the value of $CFG->wwwroot:

$CFG->wwwroot   = 'https://moodle.lefred.be';

It’s time now to restart Apache:

[opc@moodleserver1 ~]$ sudo systemctl restart httpd

We can finally open our Moodle site on our browser:

As you can see, it’s also very easy to use https with the applications we deployed on OCI.

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.