Pre-requisites
- Amazon LightSail instance with preinstalled Magento Bitnami
- OpenSSL – Preinstalled in the Bitnami Magento Instance
- Certificate Authority to sign certificate signing request (CSR)
This procedure enables TLS connection in Magento Bitnami instance not from Amazon Lightsail load balancer. Instruction is intended for single instance of VM running in Lightsail.
1. Generate keys/certificates
Generate private certificate
sudo openssl genrsa -out /opt/bitnami/apache2/conf/server.key 2048
Generate certificate signing request
sudo openssl req -new -key /opt/bitnami/apache2/conf/server.key -out /opt/bitnami/apache2/conf/cert.csr
When prompted for common name enter domain name e.g. example.com
Alternately, you can generate the CSR and private key using online tool like https://www.ssl.com/online-csr-and-key-generator/ . I recommend using openssl to generate.
2. Certificate Authority
Send cert.csr to the certificate authority. When the certificate authority completes their checks, you will get your new certificate bundle which generally contains CA bundle, crt and p7b files.
3. Setup Certificate
3.1 Back up existing certificate
Create a backup of exiting certificate. Note that users can do this only from putty or command line tools, not from FTP applications line WinSCP or FileZilla.
sudo mv /opt/bitnami/apache2/conf/server.key server.key.backup
sudo mv /opt/bitnami/apache2/conf/server.key server.csr.backup
sudo mv /opt/bitnami/apache2/conf/server.csr server.csr.backup
sudo mv /opt/bitnami/apache2/conf/server.crt server.crt.backup
3.2 Copy certificates
Copy certificates using FTP to /home/bitnami/ directory and then log in using SSH and move certificates to /opt/bitnami/apache2/conf directory
3.3 Change permissions
Change permission to root user for all three files.
sudo chown root:root /opt/bitnami/apache2/conf/server.csr
sudo chown root:root /opt/bitnami/apache2/conf/server.crt
sudo chown root:root /opt/bitnami/apache2/conf/server.key
sudo chmod 600 /opt/bitnami/apache2/conf/server.csr
sudo chmod 600 /opt/bitnami/apache2/conf/server.crt
sudo chmod 600 /opt/bitnami/apache2/conf/server.key
ls -al
total 316
drwxr-xr-x 5 bitnami root 4096 Mar 3 20:22 .
drwxr-xr-x 14 root 4096 Nov 14 11:00 ..
drwxr-xr-x 2 bitnami root 4096 Feb 16 03:54 bitnami
-rw-r–r– 1 bitnami root 289 Nov 14 11:00 deflate.conf
drwxr-xr-x 2 bitnami root 4096 Nov 14 10:57 extra
-rw-r–r– 1 bitnami root 20107 Nov 14 11:09 httpd.conf
-rw-r–r– 1 bitnami root 13064 Nov 8 13:49 magic
-rw-r–r– 1 bitnami root 60847 Nov 8 13:49 mime.types
-rw-r–r– 1 bitnami root 7413 Aug 2 2012 modsecurity.conf
drwxr-xr-x 3 bitnami root 4096 Nov 14 10:57 original
-rw-r–r– 1 bitnami root 17597 Nov 14 11:00 pagespeed.conf
-rw-r–r– 1 bitnami root 141034 Nov 14 10:57 pagespeed_libraries.conf
-rw-r–r– 1 bitnami root 199 Nov 14 10:57 php-fpm-apache.conf
-rw——- 1 bitnami root 1854 Jan 25 20:06 privkey.pem
-rw——- 1 root 2223 Mar 3 15:00 server.crt
lrwxrwxrwx 1 root 51 Feb 16 03:55 server.crt.backup -> /etc/letsencrypt/live/example.com/fullchain.pem
-rw——- 1 root 1244 Mar 3 17:42 server.csr
-rw-r–r– 1 root 985 Jan 25 20:06 server.csr.backup
-rw——- 1 root 1706 Mar 3 17:43 server.key
lrwxrwxrwx 1 root 49 Feb 16 03:55 server.key.backup -> /etc/letsencrypt/live/example.com/privkey.pem
-rw-r–r– 1 bitnami root 203 Nov 14 10:59 ssi.conf
4. Restart Apache
sudo /opt/bitnami/ctlscript.sh status apache
apache already running
sudo /opt/bitnami/ctlscript.sh restart apache
Unmonitored apache
Syntax OK
/opt/bitnami/apache2/scripts/ctl.sh : httpd stopped
Syntax OK
/opt/bitnami/apache2/scripts/ctl.sh : httpd started at port 81
Monitored apache
5. Magento Configuration update to enforce secure URL.
To enable TLS for Magento 2, follow these steps:
- Log in to Magento as the administrator.
- On the left sidebar, click STORES,> Configuration> GENERAL> Web.
- Click Base URLs
- Add/update Base Link URL e.g. https://example.com/.
- Click Base URLs (Secure).
- Base URL and Secure Base Link URL e.g. https://example.com/.
- To make all storefront pages accessible only when using TLS, in the Use Secure URLs on Storefront list box, select Yes.
- To make the administration interface accessible only when using TLS, in the Use Secure URLs in Admin list box, select Yes.
- Click Save Config. TLS is now enabled for Magento.
Tip: You can test the secure connection on https://www.whynopadlock.com/ site.