Protecting your Nectar web servers with HTTPS provides important security and data integrity capabilities for your website and your website user's information. Even if your site does not handle sensitive information, HTTPS is quickly becoming a requirement for features in the latest web browsers.

There are two main requirements for enabling HTTPS:

  1. A public DNS name for your instance
  2. An SSL certificate that is issued by a Certificate Authority (CA) that is recognised by common browsers and other tools

Many institutions have service agreements in place with service providers for both requirements, and will typically require that you use the approved service providers when using an institution domain name (eg. your-uni.edu.au). Please contact your institution IT services team for details.

It is also possible to setup HTTPS on your Nectar instance using your own DNS provider and CA.

In this article, we explain how to setup HTTPS on an Nectar Ubuntu instance running Apache HTTP Server, using the Nectar DNS Service and an SSL certificate issued by the free Let's Encrypt service. The high level process should be similar when using other web servers and DNS and CA service providers.

Creating a DNS Name using the Nectar DNS Service

Nectar DNS Service functions are not currently available in the Nectar Dashboard so you need to use the OpenStack command line client. See the API and Nectar DNS Service solution articles for further information on setting up and using the command line client.

A default DNS zone based on the allocation project name is provisioned for all new Nectar allocations (and amended allocations). You can check that your project has the default zone as follows: 

$ openstack zone list
+-----------+-------------------------+---------+----------+--------+--------+
| id        | name                    | type    |   serial | status | action |
+-----------+-------------------------+---------+----------+--------+--------+
| <zone id> | <project>.cloud.edu.au. | PRIMARY | <serial> | ACTIVE | NONE   |
+-----------+-------------------------+---------+----------+--------+--------+

If the default zone is not listed, your project was created before the Nectar DNS service was available. Please email support@nectar.org.au requesting that the default zone be added to your project. To use a custom DNS zone, please see the Nectar DNS Service article.

You can now add a DNS record for your instance to the zone as follows:

$ openstack recordset create <project>.cloud.edu.au. <instance name> --type A --record <instance IP addr>

Check that the record was created correctly using:

$ openstack recordset list <project>.cloud.edu.au.
+------+-----------------------------------------+------+--------------------+--------+--------+
| id   | name                                    | type | records            | status | action |
+------+-----------------------------------------+------+--------------------+--------+--------+
| ...  |                                         |      |                    |        |        |
| <id> | <instance name>.<project>.cloud.edu.au. | A    | <instance IP addr> | ACTIVE | NONE   |
| ...  |                                         |      |                    |        |        |
+------+-----------------------------------------+------+--------------------+--------+--------+

To check that the DNS name is working, you can try accessing the instance with ssh as follows:

ssh -i <keyfile> ubuntu@<instance name>.<project>.cloud.edu.au

If you are managing your DNS records with a domain name registrar (rather than with the Nectar DNS Service) they will typically provide a web portal with similar record management functionality.

Getting a Let's Encrypt Certificate

Let's Encrypt issues free certificates that expire after 90 days. The Certbot tool can be used to automate the process of obtaining and renewing a Let's Encrypt certificate. The Certbot home page has operating system and web server selectors for navigating to the required setup instructions.

You can install Certbot on an Ubuntu instance as follows:

$ sudo apt-get update
$ sudo apt-get install certbot

Your web server needs to be listening on port 80 for the Let's Encrypt validation challenge, so check your instance Security Groups allow access from all sources on HTTP port 80.

You can then obtain a certificate using Apache HTTP Server and set up an auto-renewal job as follows:

$ sudo certbot certonly --agree-tos --no-eff-email --webroot \
    --webroot-path /var/www/html -d <dns name> -m <contact email> \
    --post-hook "systemctl reload apache2.service"

These command options do not modify the web server configuration files. You can see how to do that in the next section.

Certbot also has options to do the web server configuration file changes for common web servers for you. See the Certbot --apache or --nginx options for further details. You can also add the --test-cert option when testing. This obtains a test certificate from a staging server. Use man certbot to get help on all the options.

When you run Certbot, the Let's Encrypt certificate files are installed in the /etc/letsencrypt folder. You should see the following files in the sub-folder for your DNS name:

$ sudo ls /etc/letsencrypt/live/<DNS name>
cert.pem  chain.pem  fullchain.pem  privkey.pem  README

If you obtained your certificate from another CA (rather than Let's Encrypt) it will typically have a much longer expiry (eg. 2 years) and not need to be automatically renewed. You just need to manually copy the certificate and private key files provided by the CA to a location accessible by your web server.

On Ubuntu you can put the certificate in /etc/ssl/certs/ and the private key file in /etc/ssl/private/ and configure your web server accordingly. The file permissions for the private key are important. On Ubuntu use chown root:ssl-cert <private key file> and chmod 640 <private key file> to set the required file ownership and permissions.

Configuring your Web Server

Start by configuring your web server to redirect all HTTP requests to HTTPS, except the Let's Encrypt renewal challenge. You can create a config file to do the redirection for Apache HTTP Server as follows:

cat > /etc/apache2/conf-available/redirect-ssl.conf << EOL
<Location />
  RewriteEngine on
  RewriteCond %{HTTPS} !on
  RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge [NC]
  RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE]
</Location>
EOL

Configure your web server to use the Let's Encrypt certificate. For Apache HTTP Server, you need to edit the /etc/apache2/sites-available/default-ssl.conf file and change the following parameters to point to the Let's Encrypt certificate and private key files:

SSLCertificateFile /etc/letsencrypt/live/<DNS name>/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/<DNS name>/privkey.pem

For Apache HTTP Server, you should also enforce stronger encryption for your web site by editing the /etc/apache2/mods-available/ssl.conf file and ensuring the following parameter is set as shown (make sure it is not commented out with a leading #):

SSLHonorCipherOrder on

You can now enable and load the web server configuration changes. For Apache HTTP Server, use the following commands to load the SSL and rewrite modules, enable the default SSL configuration, enable the HTTP to HTTPS redirect, and restart the web server:

$ sudo a2enmod ssl
$ sudo a2enmod rewrite
$ sudo a2ensite default-ssl
$ sudo a2enconf redirect-ssl
$ sudo systemctl restart apache2.service

Check your Nectar Security Groups allow access to your instance on HTTPS port 443. You should then be able to access your web server from a browser using: https://<instance name>.<project>.cloud.edu.au/.