If you're deploying your web site or application on the Oracle Cloud, chances are pretty high that you're going to be using HTTPS to secure your connections. And if you're not deploying your site with HTTPS, you should be. Most browsers nowadays will flag your HTTP only site as "Not Secure" which means the data that you enter on such sites can be easily intercepted by someone listening.
To illustrate this point really simply, take a simple login form on an insecure (HTTP) site. When we post our login form on this site, all of the data that we send through with that request is sent in plain text. This means that anyone who may be "listening" on that network can easily see your credentials.
But when we use TLS (HTTPS) to post that form, the data is encrypted so that it is protected in transport. Someone listening in on this "conversation" would hear total gibberish.
Of course, I'm greatly simplifying things here to illustrate my point, but in practice this is exactly why you should be using HTTPS on all of your sites and applications.
Clearly, we want to use SSL/TLS, so the next question is: how? For this we need to get a certificate and configure our application to use that cert. To generate our cert we'll be using a program called CertBot that generates a free cert via a service called Let's Encrypt. There aren't a lot of steps to do this, but in my personal experience it can be tricky to get working in certain environments and with certain application deployment strategies. In this guide I'll show you how to install CertBot in an Oracle Linux instance in the Oracle Cloud. You might be using an "always free" VM, or any other shape - it doesn't matter. Follow the instructions below and get your cert generated, setup for automatic renewal and deployed to your site in minutes.
But I'm Not Using Oracle Linux! That's totally cool - we offer many other OS images and the steps below should work for pretty much any *nix variant since we're using the generic instructions from CertBot that aren't specific to a certain distribution.
Here are the steps we'll take. If you need to jump past a section, use the links below.
To create an "always free" VM, click 'Create a VM instance' from the Oracle Cloud console.
Give your instance a name and choose the image source.
Make sure the Availability Domain and Instance Type are both "always free eligible".
As well as the instance shape.
Make sure 'Assign a public IP address' is selected (it is not selected by default):
Add a public SSH key.
Click 'Create' and your VM will be shown in a 'Provisioning' state:
When it is provisioned, grab your public IP:
Before you can create a certificate for your application, you'll need a domain name to be associated with your public IP address. Follow the instructions for your domain name host to point a domain name at your public IP. Here's what that might look like using Route 53:
Before we move on, make sure that port 80 is open in your security list and in the VM firewall. CertBot will need this open to verify your machine during certificate creation.
From the VM details page, click on the subnet:
Choose 'Security Lists' from the subnet details sidebar:
Select the security list:
And add an ingress rule for port 80:
Next, run the following to open up port 80 on the VM firewall:
Heads Up! If you've skipped ahead, are you sure that port 80 is open on the VM and in your VM's security list?
We can now SSH in to our VM and begin the install process for CertBot. As I mentioned above, we'll use the generic "Other UNIX" instructions from CertBot to avoid any potential issues that may arise with distribution specific installations.
Run the following commands to install CertBot:
You're now ready to create a cert.
Since we haven't yet installed a webserver, let's run CertBot in standalone mode. It will spin up a temporary webserver during this process:
The first time you run CertBot you'll need to provide some info that is used when the cert is generated:
Congrats, you've generated your free certificate! Now, let's move the new certs to another directory. In this example, I'm going to use the cert to secure an instance of Node-RED that I have spun up in an "always free" VM, so I'll move them to the proper directory for that:
We'll want this to happen every time the certs are renewed, so create a script at
/etc/letsencrypt/renewal-hooks/deploy/copy-certs and populate it with the script below. Files contained in the "deploy" directory will be executed after each successful renewal.
Now let's schedule the cert to automatically renew before it expires.
Scheduling renewal is easy. Create a CRON task to run CertBot:
If you want to stop a running webserver before renewal and start it after renewal, use
Your certs will now be automatically renewed!
This step can vary widely depending on your application and how it is deployed, but essentially at this point you have legitimate certificates that can be used with your application. Since I recently blogged about creating an instance of Node-RED, let's take a look at how you might use these certs to secure a Node-RED instance.
settings.js file - with a default install it will be located at
~/.node-red/settings.js. Open this file up and make the changes below.
Step 1: Uncomment to include the '
Step 2: Uncomment the https object and update the paths for the key and cert to point at our new cert:
Step 3: Uncomment (if necessary) and update the
requireHttps value to be
true. You can now restart node-red and your instance will be running on HTTPS!
Note: You may have come across this guide in the past when trying to configure your certs on Oracle Linux. Unfortunately, it seems that something has changed since that article was published. When you try and follow the instructions in Tim's post when using Oracle Linux 7.7 you'd end up with the following exception:
ImportError: 'pyOpenSSL' module missing required functionality. Try upgrading to v0.14 or newer.
Trying to resolve this issue only led to further issues with other Python dependencies, so I decided to follow the generic "Other UNIX" instructions via the CertBot site. This led to an error free install and seems to be the safest and most "future-proof" route for installing CertBot.