In the final part of this tutorial, we will talk about how to set up a secure HTTPS connection for our Django project on Apache as well as install a free SSL certificate provided by Let’s Encrypt.
Generating The SSL Certificate
Installing Certbot
To generate our certificate, we’re going to need Certbot. Boot up PuTTY and log into the system’s Shell and run the following commands to install Certbot.
ubuntu@instance_name:~$ sudo wget https://dl.eff.org/certbot-auto -O /usr/sbin/certbot-auto ubuntu@instance_name:~$ sudo chmod a+x /usr/sbin/certbot-auto
That’s it! Certbot is now on our system.
Generating The Certificate
With Certbot now installed, we can proceed to generate our certificate.
First, we’d need to shut down Apache momentarily to generate our certificate. Since Certbot runs off of port 80, we’d want to make sure there are no conflicts. To shut down Apache use the following command:
ubuntu@instance_name:~$ sudo service apache2 stop
Once down, run the following command to begin generating our certificate:
ubuntu@instance_name:~$ sudo certbot-auto certonly --standalone -d domain.com -d www.domain.com
Replace domain.com and www.domain.com with your domain.
You’ll be prompted to answer a few questions and enter your email. After you’ve completed this step, your SSL certificate will be generated.
Your SSL certificate can be found at the following path:
/etc/letsencrypt/live/domain.com
You’ll notice four files got created.
- cert.pem
- chain.pem
- fullchain.pm
- Privkey.pm
Configuring The VirtualHost
Back in Part 4 of this tutorial, Deploy Django to DreamCompute on Ubuntu with Apache – Part 4, we’ve edited a file called 000-default.conf to set up our VirtualHost for our Django project to run on HTTP port 80. This time around we’re going to do the following:
- Redirect all traffic coming in through our HTTP version of the site to HTTPS
- Set up our HTTPS connection with our SSL certificate
To do that, edit the 000-default.conf file by running:
/etc/letsencrypt/live/domain.com
Delete everything within the file and use the new template below:
<VirtualHost *:80>
ServerName domain.com
ServerAdmin na**@do****.com
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/domain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/domain.com/chain.pem
Alias /assets /home/ubuntu/domain.com/public/assets
<Directory /home/ubuntu/domain.com/public/assets>
Require all granted
</Directory>
<Directory /home/ubuntu/domain.com/projectname/projectname>
<Files wsgi.py>
Require all granted
</Files>
</Directory>
WSGIDaemonProcess projectname python-path=/home/ubuntu/domain.com/projectname python-home=/home/ubuntu/domain.com/env
WSGIProcessGroup projectname
WSGIScriptAlias / /home/ubuntu/domain.com/projectname/projectname/wsgi.py
</VirtualHost>
Press Ctrl + X, Y, then Enter to save.
You’ll notice we’ve moved around a few things and added a new VirtualHost rule for port 443 for our HTTPS connection.
Before we can turn Apache back on, there are two things we have to enabled to have Apache running without errors. That is Apache’s SSL mod and the Rewrite mod. To do that run the following:
ubuntu@instance_name:~$ sudo a2enmod ssl ubuntu@instance_name:~$ sudo a2enmod rewrite
That’s it; both mods are installed. All we have left to do is start our Apache server again by running:
ubuntu@instance_name:~$ sudo service apache2 start
If you load up your website using HTTP, it should now redirect to the HTTPS version.
Auto Renewing The Certificate
With our SSL certificate now installed and our HTTPS connection currently working, the last thing we’d want to set up is a way for the SSL certificates to auto-renew because Let’s Encrypt certificates are only valid for 90 days.
To renew our certificate, we’ll be leveraging cron jobs. To edit our cron jobs run the following:
ubuntu@instance_name:~$ crontab -e
Note: If this is your first time running the above command, you may be prompt to choose a way to open the file.
Once you are in the file, navigate to the bottom and enter the following:
0 0,12 * * * sudo /usr/sbin/certbot-auto -q renew
Press Ctrl + X,Y, then Enter to save.
Note: The above will make Certbot run at noon and midnight every day.
That’s it!
