Adding SSL to a Bitnami Ghost instance

Like many other people who run websites, I fully embrace encryption. It's a great idea for any website. I was embarrassed that it took as long as it did to get SSL up and running on this blog, but I finally did it. Here's how in case anyone else had to struggle with it as much as I did.

Here are the steps to follow in case anyone is wondering!

1. Install certbot

This part was pretty simple. In fact, the instructions for this part are available on the certbot website. If you're installing on a bitnami ghost instance, Debian 8 (jessie) and apache is the right choice here.

The command to install Certbot on your instance is:

$ sudo apt-get install python-certbot-apache -t jessie-backports
2. Turn off Apache

This was arguably the only part that caused me some head scratching. Because certbot connects to Let's Encrypt to generate the certs, it needs access to 0.0.0.0:80 to bind to. If your web server is still running on this port, that's problematic.

On Ghost, the command to stop apache completely is:

$ sudo /opt/bitnami/ctlscript.sh stop apache

Getting port 80 back is as easy as that one-liner!

3. Generate the Certificate

Again, this is a simple one-liner command and certbot will do all the work for you. The command you want to run is:

$ certbot --apache certonly
4. Copy Certificate files to the correct location

Since certbot does not generate the certs in the correct location because of the bitnami custom install of apache, there's a little bit of work that needs to be done. Really the only work that needs to be done is moving the .pem file to your apache directory.

The directory which certbot generates the certificate in is /etc/letsencrypt/live/<DOMAIN>/. Once in this directory, there will be four files. The files which need to be copied over are fullchain.pem and privkey.pem.

The location within bitnami of the apache install is /opt/bitnami/apache2/. So the commands to copy over the files were:

$ cp /etc/letsencrypt/live/<DOMAIN>/fullchain.pem /opt/bitnami/apache2/conf/server-ca.crt
$ cp /etc/letsencrypt/live/<DOMAIN>/privkey.pem /opt/bitnami/apache2/conf/server.key 

Since these files don't necessarily have the correct permissions, you will also need to chown and chmod them to ensure that root owns the certs and also has the only access to them. The commands for this are:

$ sudo chown root:root /opt/bitnami/apache2/conf/server*
$ sudo chmod 600 /opt/bitnami/apache2/conf/server*
5. Add flag to apache configuration

To tell apache to start using the .pem file and serve HTTPS traffic, there is one flag that needs to be added to the apache configuration file.

The configuration file is located at /opt/bitnami/apache2/conf/bitnami/bitnami.conf. Simply open this file and add this directive: SSLCertificateKeyFile "/opt/bitnami/apache2/conf/server.key"

6. Restart Apache

Once the cert has been generated and apache configuration updated, the site is ready to serve HTTPS traffic. To restart apache just run:

$ sudo /opt/bitnami/ctlscript.sh restart apache

After this, you should be able to reload your blog and see that awesome green https before the domain name. It feels good!

I struggled with a couple steps of this and hope that this blog post helps someone in the future. Everyone should secure their websites. Generally certbot makes this very easy, but there are some things I had to learn along the way like where to put the cert files and the apache configuration changes. Hope this saves someone having to search through 10+ StackOverflow posts like I did!