you're reading...

Founders BLOG

WordPress on S3: DNS and HTTPS configuration

Getting a WordPress-on-S3 website up and running is a piece of pie with our step-by-step guide, but making the website live requires a couple more pieces of the puzzle to fit together.


Today I’m going to talk about configuring DNS and HTTPS for WordPress on S3. DNS stands for Domain Name System and it is the technology that makes it possible to use friendly names for web sites. HTTPS stands for Hypertext Transfer Protocol Secure and it is the technology that makes secure connections possible.

DNS

When you first launch the website, its name is going to look like something like this: http://ec2-204-236-192-217.compute-1.amazonaws.com. The name is just a representation of the website IP address, which is an ephemeral IP address.  Ephemeral IP addresses are random and change every time the instance stops and starts.

So how do you get from a random name to a nice descriptive name for your website?  There are three components to it:

  1. You need to register your domain name with a domain name registrar.  The domain name registrar is going to make sure that the name is not registered to someone else and register it to you for a certain period of time.
  2. You need to choose a DNS hosting service.  Domain name registrars usually can provide DNS hosting service, or you can use Amazon Route 53 DNS web service.  Once you’ve picked the DNS hosting service provider, you need to inform the registrar to set the name servers for your domain to the ones associated with your DNS service provider.
  3. You need to associate an elastic IP address to the instance.  Unlike ephemeral IP addresses that change every time the instance stops and starts, an elastic IP address is going to stay the same as long as it’s allocated.  This blog has great step-by-step instructions on how to associate an elastic IP address with the instance.  Once you get an elastic IP address, you need to create a DNS A record pointing to the elastic IP address.

Once you’ve done this, anyone will be able to access your website by the name of your choice.

HTTPS

If you have a website that handles sensitive data (e.g. personal data) you need to provide secure access to your website over the HTTPS protocol.  Once an HTTPS connection is established, all communication between the web browser and your website is encrypted.  But how does the web browser know that it’s talking to your website and not some malicious website set up by a hacker?

To confirm the identity of your website, you need to obtain an SSL certificate for your domain name and set it up on the server.  There are multiple certificate authorities that can issue a certificate.  To get a certificate, you need to generate a certificate signing request (CSR) and send it to the certificate authority of your choice.

You can generate CSR using the openssl command line utility.  If you’re not comfortable with command line, here is a nice web UI that can help you to generate the correct command line based on your input. You can then run in the Webmin console.

Here is an example of how to do this.

Go to https://www.digicert.com/easy-csr/openssl.htm and enter your information into the web form, like this:

Note that you don’t have to buy a certificate from DigiCert – the command line is the same regardless of what certificate authority that you use (including the ones that provide certificates for free).

To execute the resulting command you can use the Webmin console.  In Webmin, navigate to Others, then to Command Shell, paste the command and execute it:

As a result, the command will create two files, both located in the /root directory:

  • your_domain_com.key – your private key
  • your_domain_com.csr – the CSR that you need to send to the certificate authority

You should copy the private key to /etc/pki/tls/private/.  This can be done using the following command (type it in the same command shell box):

cp your_domain_com.key /etc/pki/tls/private/

Note that the private key is not known to anyone but you.  The private key is the piece of data that proves your website’s identity, so you should not share it with anyone.

You can download the CSR using Webmin.  In Webmin, navigate to Others, then to Upload and Download, then switch to the Download from server tab, enter /root/your_domain_com.csr as the File to download, and click Download:

Then you can send the CSR to your certificate authority.  Note that the CSR file is a text file, so if your certificate authority needs CSR pasted in email, you can open the CSR file in a text editor and copy its content.

It is also a good idea to download your private key so that you can have a backup copy of your private key.  If you lose your private key, you’ll have to request a new certificate.

Once the certificate authority has validated your identity they will send you a certificate file and maybe a certificate chain file.  You should upload the files into /etc/pki/tls/certs/.  In Webmin, navigate to Others, then to Upload and Download, then switch to the Upload to server tab, choose the files, type in the directory to upload to and click Upload:

Now that you have all files in place, you need to configure Apache to use the files.  In Webmin, navigate to Servers, then to Apache Webserver and click on the virtual server in the middle:

Then click on Edit Directives:

You’ll be presented with the configuration file that has the SSL configuration for the webserver.  You need to locate the following options and set it to the appropriate values:

SSLCertificateFile /etc/pki/tls/certs/your_domain_com.crt
SSLCertificateKeyFile /etc/pki/tls/private/your_domain_com.key
SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle.crt

Note that if the certificate authority didn’t give you the certificate chain file, you don’t need to set SSLCertificateChainFile.

Once you’ve modified the configuration, click Save:

Once the configuration is saved, click Apply Change link at the top right of the screen and that’s all you need to get a webserver that supports HTTPS.

Launch your website today at http://www.oblaksoft.com/downloads/, using WordPress-on-S3 AMI as the starting point.

Discussion

No comments yet.

Post a Comment

Categories

Twitting ...