09Sep

Junior dev and SSL certificate

Salt Square 0
28
INTRODUCTION

One day your manager tells you, a junior developer, “We need to add an SSL certificate to this project. The senior devs are busy so you’ll need to do it. Here’s the domain and please finish it by the afternoon.” You do not know what an SSL certificate is, where it’s supposed to be added, what the project is about, what the issue is. But, supported by the fact you are quite good at Googling and deductive reasoning your way into getting stuff done, you say “Yeah sure, no problem.”. So off we go… 

First, we google “SSL certificates”. 

AWS: What is an SSL/TLS certificate? 

An SSL/TLS certificate is a digital object that allows systems to verify the identity & subsequently establish an encrypted network connection to another system using the Secure Sockets Layer/Transport Layer Security (SSL/TLS) protocol. 

 

SSL/TLS certificates thus act as digital identity cards to secure network communications, establish the identity of websites over the Internet as well as resources on private networks. 

 

SSL/TLS certificates establish trust among website users. Businesses install SSL/TLS certificates on web servers to create SSL/TLS-secured websites. The characteristics of an SSL/TLS-secured webpage are as follows:  

  • A padlock icon and green address bar on the web browser  
  • An https prefix on the website address on the browser  
  • A valid SSL/TLS certificate. You can check if the SSL/TLS certificate is valid by clicking and expanding the padlock icon on the URL address bar  
  • Once the encrypted connection has been established only the client & the webserver can see the data that is sent. 

Navigating to the domain you’ve been provided with, takes you to a “This site can’t be reached” page. You’ve received the info that the domain has been purchased and verified. 

You go to the company’s AWS, check the EC2 instances and see there are two for the app in question – one labelled “dev” and one labelled “prod”. 

Now, I know we deploy using AWS and EC2. But what exactly does that mean and how is that useful to me?  

After skim reading through articles that came up after making google searches such as “web deployment process simple steps”, “ec2 in deployment process”, “connecting domain name to server”, “connecting domain to ec2”, and then probing ChatGPT with specific questions for things I’ve come across and could not properly place into context, I’ve come to the following super simple generalization of the deployment process using AWS: 

  • Setting up an EC2 instance.  
  • Uploading the code. 
  • Configuring the security group and key pair. The security group acts as a “firewall” for the EC2 instance – controlling inbound and outbound traffic to and from the instance. The key provides secure access to the instance. 
  • Setting up a domain – purchasing one through a domain register. 
  • Configuring domain DNS. This establishes a link between the domain name and server so that when users enter the domain name in their browser, the DNS system resolves the domain name to the correct IP address and routes them to the correct server, in our case – the EC2 instance. 
  • Installing an SSL certificate on the EC2 instance. This is needed for a secure connection – to enable HTTPS. 

One more simple search: “What happens if there is no SSL certificate?” 

  • When users enter the domain name, DNS system routes them to the EC2 instance’s public IP address. 
  • Without the certificate, the communication between the user and the instance will not be encrypted – any data transferred between the two can be intercepted and read by third parties. 
  • A “Not secure” warning is displayed. 

So, what can we deduce from this? 

  • We need to fix the routing between the domain name and the instance and enable the user access to the page. 
  • We need to add an SSL certificate to enable accessing the page through a secure HTTPS connection. 

I waddle to a senior’s office, ask for a minute of his time, give a quick run-down of my current situation, of what I think I am supposed to do, questioning if I am going in the right direction and get these two terms back: “NGINX” and private IPv4 address. 

And yet again, Google, my friend, answers my question: “nginx ssl certificate?” with a myriad of articles with the information I require. 

What I ended up doing is the following: 
Connecting to the EC2 instance

First, I tried to connect via SSH. However, I was missing the SSH keys so, instead, I connected directly through the EC2 instance connect client. This client is a browser based SSH connection that starts up a terminal with an Amazon Linux 2023 (AL2023) distribution as the underlying operating system. 

Installing NGINX as a reverse proxy

NGINX, in this context, is a server that “is between” the users (clients) and the web app (the server). It forwards client requests to the appropriate server (the EC2 instance) and returns the response to the client.  

Most of the info online pointed to using yum as the software management tool but AL2023 has replaced yum with dnf. After simply modifying the commands, I installed NGINX and then opened the NGINX configuration file. I configured it for our app’s domain name, the private IPv4 address of the EC2 instance and the port our service was running on. 

After this, the routing issue has been fixed and I was able to access the app through the domain, albeit with the “Not Secure” warning. 

sudo su 
dnf install nginx 
systemctl enable nginx && systemctl start nginx 
nano /etc/nginx/nginx.conf 
nginx -t (to test the configuration) 
systemctl restart nginx 

The configuration file: 

server { 

        listen       80; 

        listen       [::]:80; 

        server_name  <YOUR_DOMAIN>; 

        location / { 

            proxy_pass http://<EC2_PRIVATE_IPV4_ADDRESS>:5555; 

            proxy_http_version 1.1; 

            proxy_set_header Upgrade $http_upgrade; 

            proxy_set_header Connection ‘upgrade’; 

            proxy_set_header Host $host; 

            proxy_cache_bypass $http_upgrade; 

        } 

    } 

Installing and configuring Certbot 

What was left to do was enable HTTPS. 

Certbot is a tool for obtaining and managing SSL/TLS certificates. It’s a client that simplifies the process of using the Let’s Encrypt service – a service offering free SSL certificates through an automated API. 

I used pip to install certbot and the certbot-nginx plugin. Using Certbot, I obtained a certificate and then relied on Certbot to automatically modify the NGINX configuration and enable HTTPS. There is a certificate generation wizard that takes the user through the necessary steps to accomplish that. After that, our app was accessible via HTTPS using our domain name. 

pip install certbot certbot-nginx 
ln -s /opt/certbot/bin/certbot /usr/bin/certbot 
certbot --nginx 

As an extra step (because why not?) I also added an automatic renewal of the certificate, as a cron job on the EC2 instance. A cron job is a job scheduler in Unix-like OSs. Basically, a user schedules jobs (commands or scripts) to run at specific times and take care of a repetitive process. 

dnf install cronie -y 
systemctl enable crond.service 
systemctl start crond.service 
systemctl status crond.service 
crontab –e 

And then added the following to the created file: 

0 0,12 * * * root /opt/certbot/bin/python -c 'import random; import time; time.sleep(random.random() * 3600)' && sudo certbot renew –q 

CONCLUSION

The task was completed. To be honest, I was not perfectly sure of what it was that I did but I was delighted it worked. For the moment, delivering within the deadline was the priority. However, once that was over, I went surfing online to give myself more context to everything and put things I’ve done and encountered into place. The subject is too great to claim I now know everything, but I have learned something useful and will be going into similar things in the future with more than just my enthusiasm. 

Salt Square