AWS Compute Blog

Extending Amazon Linux 2 with EPEL and Let’s Encrypt

This post courtesy of Jeff Levine Solutions Architect for Amazon Web Services

Amazon Linux 2 is the next generation of Amazon Linux, a Linux server operating system from Amazon Web Services (AWS). Amazon Linux 2 offers a high-performance Linux environment suitable for organizations of all sizes. It supports applications ranging from small websites to enterprise-class, mission-critical platforms.

Amazon Linux 2 includes support for the LAMP (Linux/Apache/MariaDB/PHP) stack, one of the most popular platforms for deploying websites. To secure the transmission of data-in-transit to such websites and prevent eavesdropping, organizations commonly leverage Secure Sockets Layer/Transport Layer Security (SSL/TLS) services which leverage certificates to provide encryption. The LAMP stack provided by Amazon Linux 2 includes a self-signed SSL/TLS certificate. Such certificates may be fine for internal usage but are not acceptable when attestation by a certificate authority is required.

In this post, I discuss how to extend the capabilities of Amazon Linux 2 by installing Let’s Encrypt, a certificate authority provided by the Internet Security Research Group. Let’s Encrypt offers basic SSL/TLS certificates for DNS hosts at no charge that you can use to add encryption-in-transit to a single web server. For commercial or multi-server configurations, you should consider AWS Certificate Manager and Elastic Load Balancing.

Let’s Encrypt also requires the certbot package, which you install from EPEL, the Extra Packaged for Enterprise Linux collection. Although EPEL is not included with Amazon Linux 2, I show how you can install it from the Fedora Project.

Walkthrough

At a high level, you perform the following tasks for this walkthrough:

  1. Provision a VPC, Amazon Linux 2 instance, and LAMP stack.
  2. Install and enable the EPEL repository.
  3. Install and configure Let’s Encrypt.
  4. Validate the installation.
  5. Clean up.

Prerequisites and costs

  • To follow along with this walkthrough, you need the following:
  • An AWS account that provides access to Amazon EC2 and Amazon VPC.
  • An Amazon EC2 key pair.
  • A program such as PuTTY that allows you to connect to the Amazon Linux 2 instance using the SSH protocol.
  • Working knowledge of Amazon EC2 and Amazon VPC.
  • The ability to configure DNS entries for a host domain.

You may incur charges for the resources you use including, but not limited to, the Amazon EC2 instance and the associated network charges.

Step 1: Provision a VPC, Amazon Linux 2 instance, and LAMP stack

  1. Create a VPC with a single public subnet, a routing table, and an internet gateway.
  2. Launch an Amazon Linux 2 instance in the VPC that you just created. Make sure that you do the following:
    1. Select the Amazon Linux 2 AMI.
    2. Choose t2.micro for the instance type.
    3. Accept all other default values including with regard to storage.
    4. Create a new security group and accept the default rule that allows TCP port 22 (SSH) from everywhere (0.0.0.0/0 in IPv4). For the purposes of this walkthrough, permitting access from all IP addresses is reasonable. In a production environment, you may restrict access to different addresses.
  3. Allocate and associate an Elastic IP address to the server when it enters the running state.
  4. Install a LAMP stack.
  5. Browse to the Elastic IP address that you just created and confirm that you can see the Apache test page, as illustrated below.

Step 2: Install and enable EPEL

  1. Connect to your Amazon Linux 2 instance at the Elastic IP address that you just created.
  2. Download and install the EPEL repository using the following commands:
    cd /tmp
    wget -O epel.rpm –nv \
    https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
    sudo yum install -y ./epel.rpm

    Respond “Y” to all requests for approval to install the software.

Step 3: Install and configure Let’s Encrypt

  1. If you are no longer connected to the Amazon Linux 2 instance, connect to it at the Elastic IP address that you just created.
  2. Install certbot, the Let’s Encrypt client to be used to obtain an SSL/TLS certificate and install it into Apache.
    sudo yum install python2-certbot-apache.noarch

    Respond “Y” to all requests for approval to install the software.
    If you see a message appear about SELinux, you can safely ignore it. This is a known issue with the latest version of certbot.

  3. Create a DNS “A record” that maps a host name to the Elastic IP address. For this post, assume that the name of the host is lamp.example.com. If you are hosting your DNS in Amazon Route 53, do this by creating the appropriate record set.
  4. After the “A record” has propagated, browse to lamp.example.com. The Apache test page should appear. If the page does not appear, use a tool such as nslookup on your workstation to confirm that the DNS record has been properly configured.
  5. You are now ready to install Let’s Encrypt. Let’s Encrypt does the following:
    • Confirms that you have control over the DNS domain being used, by having you create a DNS TXT record using the value that it provides.
    • Obtains an SSL/TLS certificate.
    • Modifies the Apache-related scripts to use the SSL/TLS certificate and redirects users browsing the site in HTTP mode to HTTPS mode.
  6. Use the following command to install certbot:
    sudo certbot -i apache -a manual \
    --preferred-challenges dns -d lamp.example.com

    The options have the following meanings:

    
    -i apache                                          Use the Apache installer.
    -a manual                                          Authenticate domain ownership manually.
    --preferred-challenges dns    Use DNS TXT records for authentication challenge.
    -d lamp.example.com           Specify the domain for the SSL/TLS certificate.
  7. You are prompted for the following information:
    E-mail address for renewals?                Enter an email address for certificate renewals.
    Accept the terms of services?               Respond as appropriate.
    Send your e-mail address to the EFF?    Respond as appropriate.
    Log your current IP address?                Respond as appropriate.
  8. You are prompted to deploy a DNS TXT record with the name “_acme-challenge.lamp.example.com” with the supplied value, as shown below.
  9. After you enter the record, wait until the TXT record propagates. To look up the TXT record to confirm the deployment, use the nslookup command in a separate command window, as shown below. Remember to use the set ty=txt command before entering the TXT record.
    You are prompted to select a virtual host. There is only one, so choose 1. The final prompt asks whether to redirect HTTP traffic to HTTPS. To perform the redirection, choose 2. That completes the configuration of Let’s Encrypt.
  10. To enable HTTPS (TCP port 443) traffic, add a rule to the security group for your Amazon Linux 2 instance.

Step: 4:  Validate the installation

  1. Browse to the http:// lamp.example.com site. You are redirected to the SSL/TLS page https://lamp.example.com.
  2. To look at the encryption information, use the appropriate actions within your browser. For example, in Firefox, you can open the padlock and traverse the menus.
    In the encryption technical details, you can see from the “Connection Encrypted” line that traffic to the website is now encrypted using TLS 1.2.

Security note:  As of the time of publication, this website also supports TLS 1.0. I recommend that you disable this protocol because of some known vulnerabilities associated with it. To do this:

  1. Edit the file /etc/letsencrypt/options-ssl-apache.conf.
  2. Look for the line beginning with SSLProtocol and change it to the following:
    SSLProtocol             all -SSLv2 -SSLv3 -TLSv1
  3. Save the file. After you make changes to this file, Let’s Encrypt no longer automatically updates it. Periodically check your log files for recommended updates to this file.
  4. Restart the httpd server with the following command:
    sudo service httpd restart

Step 5: Cleanup

Use the following steps to avoid incurring any further costs.

  1. Terminate the Amazon Linux 2 instance that you created.
  2. Release the Elastic IP address that you allocated.
  3. Revert any DNS changes that you made, including the A and TXT records.

Conclusion

Amazon Linux 2 is an excellent option for hosting websites through the LAMP stack provided by the Amazon-Linux-Extras feature. You can then enhance the security of the Apache web server by installing EPEL and Let’s Encrypt. Let’s Encrypt provisions an SSL/TLS certificate, optionally installs it for you on the Apache server, and enables data-in-transit encryption.
You can get started with Amazon Linux 2 in just a few clicks.