AWS lightsail documentation change
Summary
Major restructuring of the Let's Encrypt with NGINX tutorial, swapping order of generic Lightsail and Bitnami instructions, updating steps for SSL configuration and HTTP to HTTPS redirection to use sed commands and systemctl instead of symbolic links and Bitnami control scripts.
Security assessment
The changes are a documentation restructuring and procedural update for configuring SSL/TLS certificates with Let's Encrypt. While the entire document is security-related (SSL/TLS setup), there is no evidence in the diff of addressing a specific security vulnerability, incident, or weakness. The changes update the method for configuring SSL and redirecting traffic, but this appears to be a procedural improvement rather than a security fix. The security implications are that the new method might be more straightforward and less error-prone, but no concrete security issue is mentioned.
Diff
diff --git a/lightsail/latest/userguide/amazon-lightsail-using-lets-encrypt-certificates-with-nginx.md b/lightsail/latest/userguide/amazon-lightsail-using-lets-encrypt-certificates-with-nginx.md index a1f92912f..9d39b2123 100644 --- a//lightsail/latest/userguide/amazon-lightsail-using-lets-encrypt-certificates-with-nginx.md +++ b//lightsail/latest/userguide/amazon-lightsail-using-lets-encrypt-certificates-with-nginx.md @@ -23,12 +23 @@ Select the appropriate guide for your Nginx instance: -Bitnami - - -###### Important - - * The Linux distribution used by Bitnami instances changed from Ubuntu to Debian in July, 2020. Because of this change, some of the steps in this tutorial will differ depending on the Linux distribution of your instance. All Bitnami blueprint instances created after the change use the Debian Linux distribution. Instances created before the change will continue to use the Ubuntu Linux distribution. To check the distribution of your instance, run the `uname -a `command. The response will show either Ubuntu or Debian as your instance's Linux distribution. - - * Bitnami is in the process of modifying the file structure for many of their stacks. The file paths in this tutorial may change depending on whether your Bitnami stack uses native Linux system packages (Approach A), or if it is a self-contained installation (Approach B). To identify your Bitnami installation type and which approach to follow, run the following command: - -`test ! -f "/opt/bitnami/common/bin/openssl" && echo "Approach A: Using system packages." || echo "Approach B: Self-contained installation."` - - +Lightsail @@ -51,3 +40 @@ Bitnami - * Step 7: Create links to the Let’s Encrypt certificate files in the NGINX server directory - - * Step 8: Configure HTTP to HTTPS redirection for your web application + * Step 7: Update SSL configuration in NGINX and redirect traffic from HTTP to HTTPS @@ -55 +42 @@ Bitnami - * Step 9: Renew the Let's Encrypt certificates every 90 days + * Step 8: Renew the Let’s Encrypt certificates every 90 days @@ -72,2 +59 @@ We recommend that you manage your domain’s DNS records using a Lightsail DNS z - * Use the browser-based SSH terminal in the Lightsail console to perform the steps in this tutorial. However, you can also use your own SSH client, such as PuTTY. To learn more about configuring PuTTY, see [Download and set up PuTTY to connect using SSH in Amazon Lightsail](./lightsail-how-to-set-up-putty-to-connect-using-ssh.html). - + * Use the browser-based SSH terminal in the Lightsail console to perform the steps in this tutorial: @@ -74,0 +61 @@ We recommend that you manage your domain’s DNS records using a Lightsail DNS z + @@ -75,0 +63 @@ We recommend that you manage your domain’s DNS records using a Lightsail DNS z +###### Note @@ -77 +65 @@ We recommend that you manage your domain’s DNS records using a Lightsail DNS z -After you've completed the prerequisites, continue to the next section of this tutorial. +You can also use your own SSH client, such as PuTTY. To learn more about configuring PuTTY, see [ Download and set up PuTTY to connect using SSH in Amazon Lightsail ](./lightsail-how-to-set-up-putty-to-connect-using-ssh.html) . @@ -79 +66,0 @@ After you've completed the prerequisites, continue to the next section of this t -## Step 2: Install Certbot on your Lightsail instance @@ -81 +67,0 @@ After you've completed the prerequisites, continue to the next section of this t -Certbot is a client used to request a certificate from Let’s Encrypt and deploy it to a web server. Let's Encrypt uses the ACME protocol to issue certificates, and Certbot is an ACME-enabled client that interacts with Let's Encrypt. @@ -83 +68,0 @@ Certbot is a client used to request a certificate from Let’s Encrypt and deplo -###### To install Certbot on your Lightsail instance @@ -85 +70 @@ Certbot is a client used to request a certificate from Let’s Encrypt and deplo - 1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/). +## Step 2: Install Certbot on your Lightsail instance @@ -87 +72 @@ Certbot is a client used to request a certificate from Let’s Encrypt and deplo - 2. In the left navigation pane, choose the SSH quick connect icon for the instance that you want to connect to. +Certbot is a client used to request a certificate from Let’s Encrypt and deploy it to a web server. Let’s Encrypt uses the ACME protocol to issue certificates, and Certbot is an ACME-enabled client that interacts with Let’s Encrypt. @@ -89 +74 @@ Certbot is a client used to request a certificate from Let’s Encrypt and deplo - +###### To install Certbot on your Lightsail instance @@ -91 +76 @@ Certbot is a client used to request a certificate from Let’s Encrypt and deplo - 3. After your Lightsail browser-based SSH session is connected, enter the following command to update the packages on your instance: + 1. Connect to your instance using an SSH client, for example, the Lightsail browser-based SSH terminal. Enter the following command to update the packages on your instance: @@ -95,15 +80 @@ Certbot is a client used to request a certificate from Let’s Encrypt and deplo - - - 4. Enter the following command to install the software properties package. Certbot’s developers use a Personal Package Archive (PPA) to distribute Certbot. The software properties package makes it more efficient to work with PPAs. - - sudo apt-get install software-properties-common - -###### Note - -If you encounter a `Could not get lock` error when running the `sudo apt-get install` command, please wait approximately 15 minutes and try again. This error may be caused by a cron job that is using the Apt package management tool to install unattended upgrades. - - 5. Enter the following command to add Certbot to the local apt repository: - -###### Note - -Step 5 applies only to instances that use the Ubuntu Linux distribution. Skip this step if your instance uses the Debian Linux distribution. + 2. Enter the following command to install the software properties package. Certbot’s developers use a Personal Package Archive (PPA) to distribute Certbot. The software properties package makes it more efficient to work with PPAs. @@ -111 +82 @@ Step 5 applies only to instances that use the Ubuntu Linux distribution. Skip th - sudo apt-add-repository ppa:certbot/certbot -y + sudo apt-get install software-properties-common -y @@ -113 +84 @@ Step 5 applies only to instances that use the Ubuntu Linux distribution. Skip th - 6. Enter the following command to update apt to include the new repository: + 3. Enter the following command to update apt to include the new repository: @@ -117 +88 @@ Step 5 applies only to instances that use the Ubuntu Linux distribution. Skip th - 7. Enter the following command to install Certbot: + 4. Enter the following command to install Certbot: @@ -123,2 +93,0 @@ Certbot is now installed on your Lightsail instance. - 8. Keep the browser-based SSH terminal window open—you return to it later in this tutorial. Continue to the next section of this tutorial. - @@ -152 +119 @@ You should see a result similar to the following: - + @@ -160 +127 @@ You should see a result similar to the following: - 5. Read the Let’s Encrypt terms of service. When done, press A if you agree. If you disagree, you cannot obtain a Let’s Encrypt certificate. + 5. Read the Let’s Encrypt terms of service. When done, press Y if you agree. If you disagree, you cannot obtain a Let’s Encrypt certificate. @@ -168 +135 @@ You should see a result similar to the following: -Let's Encrypt may provide a single or multiple TXT records that you must use for verification. In this example, we were provided with two TXT records to use for verification. +Let’s Encrypt may provide a single or multiple TXT records that you must use for verification. In this example, we were provided with two TXT records to use for verification. @@ -170 +137 @@ Let's Encrypt may provide a single or multiple TXT records that you must use for - + @@ -245 +212 @@ Example: -Go back to the Lightsail browser-based SSH session for your Nginx instance and complete the Let’s Encrypt certificate request. Certbot saves your SSL certificate, chain, and key files to a specific directory on your Nginx instance. +Go back to the Lightsail browser-based SSH session for your instance and complete the Let’s Encrypt certificate request. Certbot saves your SSL certificate, chain, and key files to a specific directory on your instance. @@ -249 +216 @@ Go back to the Lightsail browser-based SSH session for your Nginx instance and c - 1. In the Lightsail browser-based SSH session for your Nginx instance, press **Enter** to continue your Let’s Encrypt SSL certificate request. If successful, a response similar to the one shown in the following screenshot appears: + 1. In the Lightsail browser-based SSH session for your instance, press **Enter** to continue your Let’s Encrypt SSL certificate request. If successful, a response similar to the one shown in the following screenshot appears: @@ -251 +218 @@ Go back to the Lightsail browser-based SSH session for your Nginx instance and c - + @@ -257,4 +224 @@ The message confirms that your certificate, chain, and key files are stored in t - - - 3. Now that you have the Let’s Encrypt SSL certificate, continue to the next section of this tutorial. - + @@ -264 +227,0 @@ The message confirms that your certificate, chain, and key files are stored in t -## Step 7: Create links to the Let’s Encrypt certificate files in the NGINX server directory @@ -266 +229 @@ The message confirms that your certificate, chain, and key files are stored in t -Create links to the Let’s Encrypt SSL certificate files in the NGINX server directory on your Nginx instance. Also, back up your existing certificates, in case you need them later. +## Step 7: Update SSL configuration in NGINX and redirect traffic from HTTP to HTTPS @@ -268 +231 @@ Create links to the Let’s Encrypt SSL certificate files in the NGINX server di -###### To create links to the Let’s Encrypt certificate files in the NGINX server directory +###### To update the SSL configuration in NGINX's default.conf @@ -270 +233 @@ Create links to the Let’s Encrypt SSL certificate files in the NGINX server di - 1. In the Lightsail browser-based SSH session for your Nginx instance, enter the following command to stop the underlying services: + 1. In the SSH session for your Nginx instance, enter the following command to stop the underlying services: @@ -272 +235,3 @@ Create links to the Let’s Encrypt SSL certificate files in the NGINX server di - sudo /opt/bitnami/ctlscript.sh stop + sudo systemctl stop nginx + sudo systemctl stop mariadb + sudo systemctl stop php8.2-fpm @@ -276 +241 @@ You should see a response similar to the following: - + @@ -292,41 +257 @@ You should see a result similar to the following: - - - 4. Enter the following commands individually to rename your existing certificate files as backups. Refer to the **Important** block at the beginning of this tutorial for information about the different distributions and file structures. - - * For Debian Linux distributions - -Approach A (Bitnami installations using system packages): - - sudo mv /opt/bitnami/nginx/conf/bitnami/certs/server.crt /opt/bitnami/nginx/conf/bitnami/certs/server.crt.old - - sudo mv /opt/bitnami/nginx/conf/bitnami/certs/server.key /opt/bitnami/nginx/conf/bitnami/certs/server.key.old - -Approach B (Self-contained Bitnami installations): - - sudo mv /opt/bitnami/nginx/conf/server.crt /opt/bitnami/nginx/conf/server.crt.old - - sudo mv /opt/bitnami/nginx/conf/server.key /opt/bitnami/nginx/conf/server.key.old - - * For older instances that use the Ubuntu Linux distribution: - - sudo mv /opt/bitnami/nginx/conf/bitnami/certs/server.crt /opt/bitnami/nginx/conf/bitnami/certs/server.crt.old - - sudo mv /opt/bitnami/nginx/conf/bitnami/certs/server.key /opt/bitnami/nginx/conf/bitnami/certs/server.key.old - - 5. Enter the following commands individually to create links to your Let’s Encrypt certificate files in the NGINX server directory. Refer to the **Important** block at the beginning of this tutorial for information about the different distributions and file structures. - - * For Debian Linux distributions - -Approach A (Bitnami installations using system packages): - - sudo ln -sf /etc/letsencrypt/live/$DOMAIN/privkey.pem /opt/bitnami/nginx/conf/bitnami/certs/server.key - - sudo ln -sf /etc/letsencrypt/live/$DOMAIN/fullchain.pem /opt/bitnami/nginx/conf/bitnami/certs/server.crt - -Approach B (Self-contained Bitnami installations): - - sudo ln -sf /etc/letsencrypt/live/$DOMAIN/privkey.pem /opt/bitnami/nginx/conf/server.key - - sudo ln -sf /etc/letsencrypt/live/$DOMAIN/fullchain.pem /opt/bitnami/nginx/conf/server.crt - - * For older instances that use the Ubuntu Linux distribution: + @@ -334 +259 @@ Approach B (Self-contained Bitnami installations): - sudo ln -s /etc/letsencrypt/live/$DOMAIN/privkey.pem /opt/bitnami/nginx/conf/bitnami/certs/server.key + 4. Run the command below to change the SSL configuration: @@ -336 +261,4 @@ Approach B (Self-contained Bitnami installations): - sudo ln -s /etc/letsencrypt/live/$DOMAIN/fullchain.pem /opt/bitnami/nginx/conf/bitnami/certs/server.crt + sudo sed \ + -i -e "s|ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem|ssl_certificate /etc/letsencrypt/live/$DOMAIN/fullchain.pem|g" \ + -i -e "s|ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key|ssl_certificate_key /etc/letsencrypt/live/$DOMAIN/privkey.pem|g" \ + /etc/nginx/conf.d/default.conf @@ -338 +266 @@ Approach B (Self-contained Bitnami installations): - 6. Enter the following command to start the underlying services that you stopped earlier: + 5. After overwriting the `default.conf` file, run the commands below to check the configuration and restart NGINX @@ -340 +268,4 @@ Approach B (Self-contained Bitnami installations): - sudo /opt/bitnami/ctlscript.sh start + sudo nginx -t + sudo systemctl restart nginx + sudo systemctl restart mariadb + sudo systemctl restart php8.2-fpm @@ -344,78 +275 @@ You should see a result similar to the following: - - -Your Nginx instance is now configured to use SSL encryption. However, traffic is not automatically redirected from HTTP to HTTPS. - - 7. Continue to the next section of this tutorial. - - -