X

Break New Ground

Free SSL Certificates In The Oracle Cloud Using CertBot And Let's Encrypt

If you're deploying your web site or application on the Oracle Cloud, chances are pretty high that you're going to be using HTTPS to secure your connections. And if you're not deploying your site with HTTPS, you should be. Most browsers nowadays will flag your HTTP only site as "Not Secure" which means the data that you enter on such sites can be easily intercepted by someone listening.

To illustrate this point really simply, take a simple login form on an insecure (HTTP) site. When we post our login form on this site, all of the data that we send through with that request is sent in plain text. This means that anyone who may be "listening" on that network can easily see your credentials.

But when we use TLS (HTTPS) to post that form, the data is encrypted so that it is protected in transport. Someone listening in on this "conversation" would hear total gibberish.

Of course, I'm greatly simplifying things here to illustrate my point, but in practice this is exactly why you should be using HTTPS on all of your sites and applications. 

Clearly, we want to use SSL/TLS, so the next question is: how? For this we need to get a certificate and configure our application to use that cert. To generate our cert we'll be using a program called CertBot that generates a free cert via a service called Let's Encrypt. There aren't a lot of steps to do this, but in my personal experience it can be tricky to get working in certain environments and with certain application deployment strategies. In this guide I'll show you how to install CertBot in an Oracle Linux instance in the Oracle Cloud. You might be using an "always free" VM, or any other shape - it doesn't matter. Follow the instructions below and get your cert generated, setup for automatic renewal and deployed to your site in minutes.

But I'm Not Using Oracle Linux!  That's totally cool - we offer many other OS images and the steps below should work for pretty much any *nix variant since we're using the generic instructions from CertBot that aren't specific to a certain distribution.

Here are the steps we'll take. If you need to jump past a section, use the links below.

Create Your VM

To create an "always free" VM, click 'Create a VM instance' from the Oracle Cloud console.

Give your instance a name and choose the image source. 

Make sure the Availability Domain and Instance Type are both "always free eligible".

As well as the instance shape.

Make sure 'Assign a public IP address' is selected (it is not selected by default):

Add a public SSH key.

Click 'Create' and your VM will be shown in a 'Provisioning' state:

When it is provisioned, grab your public IP:

Before You Get Started

Before you can create a certificate for your application, you'll need a domain name to be associated with your public IP address. Follow the instructions for your domain name host to point a domain name at your public IP.  Here's what that might look like using Route 53:

Before we move on, make sure that port 80 is open in your security list and in the VM firewall. CertBot will need this open to verify your machine during certificate creation.

From the VM details page, click on the subnet:

Choose 'Security Lists' from the subnet details sidebar:

Select the security list:

And add an ingress rule for port 80:

Next, run the following to open up port 80 on the VM firewall:

 

Installing CertBot

Heads Up! If you've skipped ahead, are you sure that port 80 is open on the VM and in your VM's security list?

We can now SSH in to our VM and begin the install process for CertBot. As I mentioned above, we'll use the generic "Other UNIX" instructions from CertBot to avoid any potential issues that may arise with distribution specific installations. 

Run the following commands to install CertBot:

You're now ready to create a cert.

Creating A Certificate

Since we haven't yet installed a webserver, let's run CertBot in standalone mode. It will spin up a temporary webserver during this process:

The first time you run CertBot you'll need to provide some info that is used when the cert is generated:

Congrats, you've generated your free certificate! Now, let's move the new certs to another directory. In this example, I'm going to use the cert to secure an instance of Node-RED that I have spun up in an "always free" VM, so I'll move them to the proper directory for that:

We'll want this to happen every time the certs are renewed, so create a script at /etc/letsencrypt/renewal-hooks/deploy/copy-certs and populate it with the script below. Files contained in the "deploy" directory will be executed after each successful renewal.

Now let's schedule the cert to automatically renew before it expires.

Scheduling Certificate Renewal

Scheduling renewal is easy. Create a CRON task to run CertBot:

If you want to stop a running webserver before renewal and start it after renewal, use --pre-hook and --post-hook:

Your certs will now be automatically renewed!

Deploying A Site With Your New Certificate

This step can vary widely depending on your application and how it is deployed, but essentially at this point you have legitimate certificates that can be used with your application. Since I recently blogged about creating an instance of Node-RED, let's take a look at how you might use these certs to secure a Node-RED instance.

Find your settings.js file - with a default install it will be located at ~/.node-red/settings.js. Open this file up and make the changes below.

Step 1:  Uncomment to include the 'fs' module:

Step 2: Uncomment the https object and update the paths for the key and cert to point at our new cert:

Step 3:  Uncomment (if necessary) and update the requireHttps value to be true. You can now restart node-red and your instance will be running on HTTPS!

Footnote

Note:  You may have come across this guide in the past when trying to configure your certs on Oracle Linux. Unfortunately, it seems that something has changed since that article was published. When you try and follow the instructions in Tim's post when using Oracle Linux 7.7 you'd end up with the following exception:

ImportError: 'pyOpenSSL' module missing required functionality. Try upgrading to v0.14 or newer.

Trying to resolve this issue only led to further issues with other Python dependencies, so I decided to follow the generic "Other UNIX" instructions via the CertBot site. This led to an error free install and seems to be the safest and most "future-proof" route for installing CertBot. 

Photo by James Sutton on Unsplash

Join the discussion

Comments ( 5 )
  • David Saturday, October 26, 2019
    I've followed this series of tutorials so far, and impressed with what I've managed to create!!
    The one worry that I have is not having local control of the system, and not being able, through lack of experience, to fix problems that may arise.
    It would be brilliant if at some stage you could do a tutorial on backing up & restoring the instance.
    I would then feel more confident that if it broke, I could restore from a backup instead of trying remotely to fix it.

    Thanks for sharing the tutorials.
  • Todd Sharp Monday, October 28, 2019
    @David:

    Interesting idea. I'll see what I can come up with. Stay tuned, it might take me a while as I'm working on a workshop this week!

    Todd
  • Andrea Sunday, November 3, 2019
    Regarding "ImportError: 'pyOpenSSL'"

    You can enable a scl with:

    sudo scl enable python27 bash

    Then in the new shell certbot will run correctly.
    HTH
  • Todd Sharp Monday, November 4, 2019
    @Andrea

    Thanks!

    Todd
  • Paul Saturday, November 9, 2019
    Hi Todd, I've just checked the status of my certificates using an online tool, and found that the chain of trust was incomplete - https://check-your-website.server-daten.de/
    After discussions with the Letsencrypt team, the advice is to use fullchain.pem instead of cert.pem in the node-RED settings.

    https: {
    key: fs.readFileSync('/home/opc/.node-red/certs/privkey.pem'),
    cert: fs.readFileSync('/home/opc/.node-red/certs/fullchain.pem')
    },

    After I made that change, it shows that I now have a valid chain.
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.