For the longest time this site has been in HTTP mode. It’s time to HTTPS it.

We will be using Let’s Encrypt to issue a free SSL certificate for the following domains:

marcuschiu.com
*.marcuschiu.com

The latter domain is a wildcard domain and this allows any sub-domain to be encrypted with SSL all in one go (e.g. www.marcuschiu.com, thoughts.marcuschiu.com, etc).

Install Dependencies

sudo yum install python3 python-devel augeas-devel gcc

Set up a Python virtual environment

sudo python3 -m venv /opt/certbot/
sudo /opt/certbot/bin/pip install --upgrade pip

Install Certbot

sudo /opt/certbot/bin/pip install certbot certbot-nginx
sudo ln -s /opt/certbot/bin/certbot /usr/bin/certbot

Install DNS Plugin For AWS Route53

sudo /opt/certbot/bin/pip install certbot-dns-route53

Use Certbot to Obtain Certificate

sudo certbot certonly --dns-route53 -d "marcuschiu.com" -d "*.marcuschiu.com"

Configure Nginx to Point to Issued Certificates

ssl_certificate     /etc/letsencrypt/live/marcuschiu.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/marcuschiu.com/privkey.pem;
  
server {
    listen 443 ssl;
    server_name marcuschiu.com www.marcuschiu.com;
    #...
}
  
server {
    listen 443 ssl;
    server_name confluence.marcuschiu.com;
    #...
}
  
# more https servers
  
# redirect HTTP to HTTPS
server {
    listen 80 default_server;
    server_name _;
    return 301 https://$host$request_uri;
}

Setup Auto Renewal Process

echo "0 0,12 * * * root /opt/certbot/bin/python -c 'import random; import time; time.sleep(random.random() * 3600)' && sudo certbot renew -q" | sudo tee -a /etc/crontab > /dev/null

Monthly Upgrade

sudo /opt/certbot/bin/pip install --upgrade certbot certbot-nginx certbot-dns-route53