How to setup CA Certified TLS connection in Magento Bitnami Instance deployed in Amazon Lightsail?

Pre-requisites

  • Amazon LightSail instance with preinstalled Magento Bitnami
  • OpenSSL – Preinstalled in the Bitnami Magento Instance
  • Certificate Authority to sign certificate signing request (CSR)

This procedure enables TLS connection in Magento Bitnami instance not from Amazon Lightsail load balancer. Instruction is intended for single instance of VM running in Lightsail.

1. Generate keys/certificates

Generate private certificate

sudo openssl genrsa -out /opt/bitnami/apache2/conf/server.key 2048

Generate certificate signing request

sudo openssl req -new -key /opt/bitnami/apache2/conf/server.key -out /opt/bitnami/apache2/conf/cert.csr

When prompted for common name enter domain name e.g. example.com

Alternately, you can generate the CSR and private key using online tool like https://www.ssl.com/online-csr-and-key-generator/ . I recommend using openssl to generate.

2. Certificate Authority

Send cert.csr to the certificate authority. When the certificate authority completes their checks, you will get your new certificate bundle which generally contains CA bundle, crt and p7b files.

3. Setup Certificate

3.1 Back up existing certificate

Create a backup of exiting certificate. Note that users can do this only from putty or command line tools, not from FTP applications line WinSCP or FileZilla.

sudo mv /opt/bitnami/apache2/conf/server.key server.key.backup
sudo mv /opt/bitnami/apache2/conf/server.key server.csr.backup
sudo mv /opt/bitnami/apache2/conf/server.csr server.csr.backup
sudo mv /opt/bitnami/apache2/conf/server.crt server.crt.backup

3.2 Copy certificates

Copy certificates using FTP to /home/bitnami/ directory and then log in using SSH and move certificates to /opt/bitnami/apache2/conf directory

3.3 Change permissions

Change permission to root user for all three files.

sudo chown root:root /opt/bitnami/apache2/conf/server.csr
sudo chown root:root /opt/bitnami/apache2/conf/server.crt
sudo chown root:root /opt/bitnami/apache2/conf/server.key
sudo chmod 600 /opt/bitnami/apache2/conf/server.csr
sudo chmod 600 /opt/bitnami/apache2/conf/server.crt
sudo chmod 600 /opt/bitnami/apache2/conf/server.key

ls -al
total 316
drwxr-xr-x 5 bitnami root 4096 Mar 3 20:22 .
drwxr-xr-x 14 root 4096 Nov 14 11:00 ..
drwxr-xr-x 2 bitnami root 4096 Feb 16 03:54 bitnami
-rw-r–r– 1 bitnami root 289 Nov 14 11:00 deflate.conf
drwxr-xr-x 2 bitnami root 4096 Nov 14 10:57 extra
-rw-r–r– 1 bitnami root 20107 Nov 14 11:09 httpd.conf
-rw-r–r– 1 bitnami root 13064 Nov 8 13:49 magic
-rw-r–r– 1 bitnami root 60847 Nov 8 13:49 mime.types
-rw-r–r– 1 bitnami root 7413 Aug 2 2012 modsecurity.conf
drwxr-xr-x 3 bitnami root 4096 Nov 14 10:57 original
-rw-r–r– 1 bitnami root 17597 Nov 14 11:00 pagespeed.conf
-rw-r–r– 1 bitnami root 141034 Nov 14 10:57 pagespeed_libraries.conf
-rw-r–r– 1 bitnami root 199 Nov 14 10:57 php-fpm-apache.conf
-rw——- 1 bitnami root 1854 Jan 25 20:06 privkey.pem
-rw——- 1 root 2223 Mar 3 15:00 server.crt
lrwxrwxrwx 1 root 51 Feb 16 03:55 server.crt.backup -> /etc/letsencrypt/live/example.com/fullchain.pem
-rw——- 1 root 1244 Mar 3 17:42 server.csr
-rw-r–r– 1 root 985 Jan 25 20:06 server.csr.backup
-rw——- 1 root 1706 Mar 3 17:43 server.key
lrwxrwxrwx 1 root 49 Feb 16 03:55 server.key.backup -> /etc/letsencrypt/live/example.com/privkey.pem
-rw-r–r– 1 bitnami root 203 Nov 14 10:59 ssi.conf

4. Restart Apache

sudo /opt/bitnami/ctlscript.sh status apache
apache already running
sudo /opt/bitnami/ctlscript.sh restart apache
Unmonitored apache
Syntax OK
/opt/bitnami/apache2/scripts/ctl.sh : httpd stopped
Syntax OK
/opt/bitnami/apache2/scripts/ctl.sh : httpd started at port 81
Monitored apache

5. Magento Configuration update to enforce secure URL.

To enable TLS for Magento 2, follow these steps:

  1. Log in to Magento as the administrator.
  2. On the left sidebar, click STORES,> Configuration> GENERAL> Web.
  3. Click Base URLs
  4. Click Base URLs (Secure).
    •  Base URL and Secure Base Link URL e.g. https://example.com/.
    • To make all storefront pages accessible only when using TLS, in the Use Secure URLs on Storefront list box, select Yes.
    • To make the administration interface accessible only when using TLS, in the Use Secure URLs in Admin list box, select Yes.
  5. Click Save Config. TLS is now enabled for Magento.

Tip: You can test the secure connection on https://www.whynopadlock.com/ site.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.