Free SSL on AWS OpsWorks Rails App

In this post I’ll try and describe how to set up SSL for your Rails app. This solution is free and will automatically extend the certificate once the certificate runs its course. It is tweaked to work on AWS OpsWorks. If you use a different hosting solution and use Capistrano rather than Chef you should check out this tutorial here.

Having a secure HTTPS connection used to be a feature you’d see for example on banking web sites, where the need to address security issues was much higher.

However, as of late, this has changed quite a bit. Part of it likely has to do with browser vendors. In the last couple of years they’ve begun to make a point of warning you whenever you’re doing something that might not be secure. Which is a good thing.

How this is usually done is by showing you (i) an icon implying that your connectiong is ‘wrong’ and ‘insecure’. In reality, having SSL might not even be such a big deal if you don’t even use forms, don’t handle eny passwords or such. However, even in those cases, the browser will tell you that the site is insecure.

alt

Two of the major pains that I have with certificates are the following:

  1. They cost money
  2. They expire and then I forget about them

Green Bar vs. “Normal” Certificates

Just to make things clear, we are not talking about the so-called “green bar” here (aka Extended Validation SSL Certificates). For one of those you’ll need to dish out $300 or more.
So if what you’re looking is how to set that up, this blog post won’t be of much help.

alt

If you just want (i) to go away and to have something like this you are on the right page.

alt

We’ll accomplish this by going through the following four steps:

  1. Use Let’s Encrypt
  2. Use custom chef script for Rails setup
  3. Set application env to use custom chef recipe
  4. Setup a cron job to auto extend certificate

1. Let’s Encrypt

https://letsencrypt.org/ is a nonprofit Certificate Authority. For the purposes of this post, I will assume you’re running Ubuntu 14.04.4 LTS server managed with AWS OpsWorks.

In this example I’ll be adding an SSL certificate for the “kodius.io” domain.


    #execute in terminal
    wget https://dl.eff.org/certbot-auto  
    chmod a+x certbot-auto  
    certbot-auto certonly --standalone -d kodius.io

After executing the previous command, a certificate will be generated inside of the /etc/letsencrypt/live folder. Congrats!

If you are not using a Ubuntu/Nginx setup, then you should check out the proper command sequence here https://certbot.eff.org/.

2. Tweaking nginx config

If you open up the Amazon OpsWorks console and go to your Rails app settings you will see a section where can manually add a certificate as well as SSL

alt

This works great, however, it requires you to manually copy/paste keys to SSL certificate input text areas. While this might not be such a big deal to do once in a while, Let’s Encrypt certificates actually run out after a mere 90 days. You might not want to do that manually.

Instead we’ll build a custom chef script to enable SSL while the application is being deployed. We will also add a cron job to automatically extend the certificate’s validity meaning we’ll never have to think twice about whether our certificate is gonna run out.

The recipe is available here https://github.com/kodius/kodius-chef-recipes. If you are unfamiliar on how to setup a custom chef recipe on AWS OpsWorks, the setup steps are listed over here.

3. Edit Environment Variables inside of the Rails App

When we re-deploy the app you’ll notice nothing’s changed:

alt

In order to make this work you’ll have to enable the “SSL” part of the recipe for setting up our nginx configuration (this part is not mandatory, so whether you want to do it or not, it’s up to you).


    #setting in Rails App on OpsWorks UI
    ENABLE_MANUAL_SSL = true

As shown here:

alt

After re-deploying once more, you will get a fully set up SSL connection. The recipe we’re using puts in a bunch of redirects for nginx to the new https:// address, so old links will still work.

alt

4. Setup a cron job to auto-extend certificate

Add a script /home/ubunut/renew_certs.sh


    #/home/ubuntu/renew_certs.sh
    #!/bin/bash
    certbot-auto --quiet certonly -d kodius.io

    chmod +x /home/ubuntu/renew_certs.sh  
    cronab -e  
    #add to cron
    0 0 */60 * * /home/ubuntu/renew_certs.sh

Enjoy 🙂