AWS lightsail documentation change
Summary
Restructured documentation to focus solely on Lightsail Nginx instances, removed Bitnami-specific instructions, updated headings to standard markdown format, and streamlined content for clarity.
Security assessment
The changes document HTTPS implementation using Let's Encrypt certificates which enhances security through encrypted connections. However, there's no evidence of addressing a specific vulnerability or incident. The update improves existing security documentation but doesn't reference any security incident.
Diff
diff --git a/lightsail/latest/userguide/amazon-lightsail-using-lets-encrypt-certificates-with-nginx.md b/lightsail/latest/userguide/amazon-lightsail-using-lets-encrypt-certificates-with-nginx.md index 7f94e30ae..e602c836a 100644 --- a//lightsail/latest/userguide/amazon-lightsail-using-lets-encrypt-certificates-with-nginx.md +++ b//lightsail/latest/userguide/amazon-lightsail-using-lets-encrypt-certificates-with-nginx.md @@ -7 +7 @@ -# Secure your Lightsail NGINX website with Let's Encrypt SSL/TLS +Step 1: Complete the prerequisitesStep 2: Install Certbot on your Lightsail instanceStep 3: Request a Let’s Encrypt SSL wildcard certificateStep 4: Add TXT records to your domain’s DNS zoneStep 5: Confirm that the TXT records have propagatedStep 6: Complete the Let’s Encrypt SSL certificate requestStep 7: Update SSL configuration in Nginx and redirect traffic from HTTP to HTTPSStep 8: Renew the Let’s Encrypt certificates every 90 days @@ -9,9 +9 @@ -Amazon Lightsail makes it easy to secure your websites and applications with SSL/TLS using Lightsail load balancers. However, using a Lightsail load balancer might not generally be the right choice. Perhaps your site doesn't need the scalability or fault tolerance load balancers provide, or maybe you're optimizing for cost. - -In the latter case, you might consider using Let's Encrypt to obtain a free SSL certificate. If so, that's no problem. You can integrate those certificates with Lightsail instances. This tutorial shows you how to request a Let’s Encrypt wildcard certificate using Certbot, and integrate it with your Nginx instance. - -###### Identify your Nginx blueprint vendor - -Here are a few steps you should take to get started after your Nginx instance is up and running on Amazon Lightsail. Before you get started, identify your blueprint vendor on your instance management page: - - +# Enable HTTPS on your Nginx instance with Let's Encrypt and Certbot @@ -19,3 +11 @@ Here are a few steps you should take to get started after your Nginx instance is -Select the appropriate guide for your Nginx instance: - -Lightsail +Amazon Lightsail makes it easy to secure your websites and applications with SSL/TLS using Lightsail load balancers. However, using a Lightsail load balancer might not generally be the right choice. Perhaps your site doesn't need the scalability or fault tolerance load balancers provide, or maybe you're optimizing for cost. @@ -22,0 +13 @@ Lightsail +In the latter case, you might consider using Let's Encrypt to obtain a free SSL certificate. If so, that's no problem. You can integrate those certificates with Lightsail instances. This tutorial shows you how to request a Let's Encrypt wildcard certificate using Certbot, and integrate it with your Nginx instance. @@ -38 +29 @@ Lightsail - * Step 7: Update SSL configuration in NGINX and redirect traffic from HTTP to HTTPS + * Step 7: Update SSL configuration in Nginx and redirect traffic from HTTP to HTTPS @@ -45 +36 @@ Lightsail -###### Step 1: Complete the prerequisites +## Step 1: Complete the prerequisites @@ -47 +38 @@ Lightsail -Complete the following prerequisites if you haven’t already done so: +Complete the following prerequisites if you haven't already done so: @@ -55,3 +46 @@ Complete the following prerequisites if you haven’t already done so: -We recommend that you manage your domain’s DNS records using a Lightsail DNS zone. To learn more, see [ Create a DNS zone to manage your domain’s DNS records ](./lightsail-how-to-create-dns-entry.html) . - - * Use the browser-based SSH terminal in the Lightsail console to perform the steps in this tutorial: +We recommend that you manage your domain's DNS records using a Lightsail DNS zone. To learn more, see [ Create a DNS zone to manage your domain's DNS records ](./lightsail-how-to-create-dns-entry.html) . @@ -59,5 +48 @@ We recommend that you manage your domain’s DNS records using a Lightsail DNS z - - -###### Note - -You can also use your own SSH client, such as PuTTY. To learn more about configuring PuTTY, see [ Download and set up PuTTY to connect using SSH in Amazon Lightsail ](./lightsail-how-to-set-up-putty-to-connect-using-ssh.html) . + * Use the browser-based SSH terminal in the Lightsail console to perform the steps in this tutorial. However, you can also use your own SSH client, such as PuTTY. To learn more about configuring PuTTY, see [ Download and set up PuTTY to connect using SSH in Amazon Lightsail ](./lightsail-how-to-set-up-putty-to-connect-using-ssh.html). @@ -68 +53 @@ You can also use your own SSH client, such as PuTTY. To learn more about configu -###### Step 2: Install Certbot on your Lightsail instance +## Step 2: Install Certbot on your Lightsail instance @@ -101 +86 @@ Certbot is now installed on your Lightsail instance. -###### Step 3: Request a Let’s Encrypt SSL wildcard certificate +## Step 3: Request a Let’s Encrypt SSL wildcard certificate @@ -146 +131 @@ Let's Encrypt may provide a single or multiple TXT records that you must use for -###### Step 4: Add TXT records to your domain’s DNS zone +## Step 4: Add TXT records to your domain’s DNS zone @@ -181 +166 @@ The Lightsail console pre-populates the apex portion of your domain. For example -###### Step 5: Confirm that the TXT records have propagated +## Step 5: Confirm that the TXT records have propagated @@ -212 +197 @@ Example: -###### Step 6: Complete the Let’s Encrypt SSL certificate request +## Step 6: Complete the Let’s Encrypt SSL certificate request @@ -231 +216 @@ The message confirms that your certificate, chain, and key files are stored in t -###### Step 7: Update SSL configuration in NGINX and redirect traffic from HTTP to HTTPS +## Step 7: Update SSL configuration in Nginx and redirect traffic from HTTP to HTTPS @@ -233 +218 @@ The message confirms that your certificate, chain, and key files are stored in t -###### To update the SSL configuration in NGINX's default.conf +###### To update the SSL configuration in Nginx's default.conf @@ -272 +257 @@ If you closed your browser-based SSH terminal window since setting the `DOMAIN` - 5. After overwriting the `default.conf` file, run the commands below to check the configuration and restart NGINX + 5. After overwriting the `default.conf` file, run the commands below to check the configuration and restart Nginx @@ -288 +273 @@ Your Nginx instance is now configured to use SSL encryption and traffic is redir -###### Step 8: Renew the Let’s Encrypt certificates every 90 days +## Step 8: Renew the Let’s Encrypt certificates every 90 days @@ -292,411 +276,0 @@ Let’s Encrypt certificates are valid for 90 days. Certificates can be renewed -Bitnami - - -###### Important - - * The Linux distribution used by Bitnami instances changed from Ubuntu to Debian in July, 2020. Because of this change, some of the steps in this tutorial will differ depending on the Linux distribution of your instance. All Bitnami blueprint instances created after the change use the Debian Linux distribution. Instances created before the change will continue to use the Ubuntu Linux distribution. To check the distribution of your instance, run the `uname -a `command. The response will show either Ubuntu or Debian as your instance's Linux distribution. - - * Bitnami is in the process of modifying the file structure for many of their stacks. The file paths in this tutorial may change depending on whether your Bitnami stack uses native Linux system packages (Approach A), or if it is a self-contained installation (Approach B). To identify your Bitnami installation type and which approach to follow, run the following command: - -`test ! -f "/opt/bitnami/common/bin/openssl" && echo "Approach A: Using system packages." || echo "Approach B: Self-contained installation."` - - - - -**Contents** - - * Step 1: Complete the prerequisites - - * Step 2: Install Certbot on your Lightsail instance - - * Step 3: Request a Let’s Encrypt SSL wildcard certificate - - * Step 4: Add TXT records to your domain’s DNS zone - - * Step 5: Confirm that the TXT records have propagated - - * Step 6: Complete the Let’s Encrypt SSL certificate request - - * Step 7: Create links to the Let’s Encrypt certificate files in the NGINX server directory - - * Step 8: Configure HTTP to HTTPS redirection for your web application - - * Step 9: Renew the Let's Encrypt certificates every 90 days - - - - -###### Step 1: Complete the prerequisites - -Complete the following prerequisites if you haven’t already done so: - - * Create a Nginx instance in Lightsail. To learn more, see [Create an instance](./how-to-create-amazon-lightsail-instance-virtual-private-server-vps.html). - - * Register a domain name, and get administrative access to edit its DNS records. To learn more, see [DNS](./understanding-dns-in-amazon-lightsail.html). - -###### Note - -We recommend that you manage your domain’s DNS records using a Lightsail DNS zone. To learn more, see [Create a DNS zone to manage your domain’s DNS records](./lightsail-how-to-create-dns-entry.html). - - * Use the browser-based SSH terminal in the Lightsail console to perform the steps in this tutorial. However, you can also use your own SSH client, such as PuTTY. To learn more about configuring PuTTY, see [Download and set up PuTTY to connect using SSH in Amazon Lightsail](./lightsail-how-to-set-up-putty-to-connect-using-ssh.html). - - - - -After you've completed the prerequisites, continue to the next section of this tutorial. - -###### Step 2: Install Certbot on your Lightsail instance - -Certbot is a client used to request a certificate from Let’s Encrypt and deploy it to a web server. Let's Encrypt uses the ACME protocol to issue certificates, and Certbot is an ACME-enabled client that interacts with Let's Encrypt. - -###### To install Certbot on your Lightsail instance - - 1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/). - - 2. On the Instances home page, choose the SSH quick connect icon for the instance that you want to connect to. For example, with a WordPress instance named _Example_ : - - - - 3. After your Lightsail browser-based SSH session is connected, enter the following command to update the packages on your instance: - - sudo apt-get update - - - - 4. Enter the following command to install the software properties package. Certbot's developers use a Personal Package Archive (PPA) to distribute Certbot. The software properties package makes it more efficient to work with PPAs. - - sudo apt-get install software-properties-common - -###### Note - -If you encounter a `Could not get lock` error when running the `sudo apt-get install` command, please wait approximately 15 minutes and try again. This error may be caused by a cron job that is using the Apt package management tool to install [unattended-upgrades](https://wiki.debian.org/PeriodicUpdates). - - 5. Enter the following command to add Certbot to the local apt repository: - -###### Note - -Step 5 applies only to instances that use the Ubuntu Linux distribution. Skip this step if your instance uses the Debian Linux distribution. - - sudo apt-add-repository ppa:certbot/certbot -y - - 6. Enter the following command to update apt to include the new repository: - - sudo apt-get update -y - - 7. Enter the following command to install Certbot: - - sudo apt-get install certbot -y - -Certbot is now installed on your Lightsail instance. - - 8. Keep the browser-based SSH terminal window open—you return to it later in this tutorial. Continue to the next section of this tutorial. - - - - -###### Step 3: Request a Let’s Encrypt SSL wildcard certificate - -Begin the process of requesting a certificate from Let’s Encrypt. Using Certbot, request a wildcard certificate, which lets you use a single certificate for a domain and its subdomains. For example, a single wildcard certificate works for the `example.com` top-level domain, and the `blog.example.com`, and `stuff.example.com` subdomains. - -###### To request a Let’s Encrypt SSL wildcard certificate - - 1. In the same browser-based SSH terminal window used in step 2 of this tutorial, enter the following commands to set an environment variable for your domain. You can now more efficiently copy and paste commands to obtain the certificate. Be sure to replace ``domain`` with the name of your registered domain name. - - DOMAIN=domain - - WILDCARD=*.$DOMAIN - -Example: - - DOMAIN=example.com - - WILDCARD=*.$DOMAIN - - 2. Enter the following command to confirm the variables return the correct values: - - echo $DOMAIN && echo $WILDCARD