There was a time when an SSL certificate was considered a luxury. Only a few websites in serious businesses had an SSL certificate. But the times have changed. Nowadays, an SSL certificate is a must-have for websites, especially if your website carries out heavy online transactions. If you use a non-profit fundraising software or a charity donation software for fundraising campaigns, read on, as this article will help you acquire a free SSL certificate.
Having an SSL certificate on your website comes with loads of benefits. An SSL certificate not only protects your data but also helps you boost your search engine ranking. In addition to this, an SSL certificate provides authentication and helps you with PCI/DSS Requirements. Apart from all the benefits, it’s important to note that Google, one of the largest search engines has made it mandatory for websites to acquire an SSL certificate.
Hence, in order to provide a free SSL certificate to various charity donation platforms and non-profit fundraising software solutions, Rishabh Gupta from GammaStack came up with an easy way for the white label solutions.
This article focuses on how you can obtain a free SSL/TLS certificate for your website and how you can automate its deployment to AWS application via load balancer.
GammaStack recently provided multi-domain white label solutions to various non-profit organizations that needed SSL/TLS certificates. So we decided to add letsencrypt(Open Certificate Authority) certificates which are free and come with 90 days validity with automated renewals. They provide flexibility and scalability in certificate issuance/renewal/update with simple commands.
Architecture planning for SSL installation
To install SSL certificates we’ve two options:
i) Full HTTPS connection
[Browser < —HTTPS — > Load Balancer < —- HTTPS —- > a1/a2 nginx]
— Install certificates on both load balancer & both web servers(ec2). In this case, the user to Load balancer(LB) connection is encrypted by LB cert & LB to the webserver connection is encrypted by certificate installed on Nginx/apache. If we want to set up like this, we’ll need all the same certs in 3 places: LB, app1, app2 (and potentially on other servers when we have them: app3, etc.)
ii) HTTPS + HTTP connection
[Browser <— HTTPS —> Load Balancer < —- HTTP —-> a1/a2 nginx]
— This way we reconfigure the Nginx/apache to not encrypt the connection. Only cert needs to be installed on the load balancer. SSL is terminated at LB, as there is no need to encrypt connections between load balancer & web servers as they are located on the same service provider(AWS). We’ll be proceeding with this configuration.
Install Certbot(letsencrypt ACME client) on the server running your website.
Certbot is an easy-to-use client that fetches a certificate from Let’s Encrypt. It needs to be installed on web servers(EC2) where the websites are hosted. Our project back-up by 2 ec2 instances which are configured behind an AWS Elastic Load Balancer(ELB). Certbot is installed on both EC2 instances.
Depending upon webserver & operating system of your server, follow the commands provided on this page: https://certbot.eff.org/lets-encrypt/ubuntuxenial-nginx
Certbot issues certificates by validating the ownership of requested domains. In this process, it places a text file on the webserver.
Now to obtain an SSL certificate, execute this command on your server:
, where /srv/npo_project/current/public is the webroot path. By default, the HTTP-01 challenge is preferred by certbot which validates the ownership of requested domains. However, if a wildcard certificate is needed, you need to use one of Certbot’s DNS plugins.For more info: https://certbot.eff.org/docs/using.html#dns-plugins
Congratulations, you have successfully generated a certificate for your domains.
Check available certificates by running the command: `certbot certificates`
Installation of AWS CLI to deploy certificates to load balancer
AWS CLI needs to be installed on web servers to deploy certificates on the Load balancer. To install AWS CLI follow this link: https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2-linux-mac.html
Configure aws cli by adding AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables inside credentials configuration file at the default location, ~/.aws/config.
Importing generated certificates to AWS ACM:
It will return a certificate_arn, which is unique for each certificate on AWS ACM.
Deployment to AWS Application load balancer:
Here, listener-arn is the application load balancer ARN &
new_cert_arn is the unique identifier obtained after importing the certificate to ACM (AWS certificate manager).
Renewing certificates with deploy-hooks
Letsencrypt certificates come with a validity of 90 days & get renewed automatically before they expire. However, we can also configure some other settings along with certificate renewal, like setting deploy-hook. For eg:
The above solution for acquiring a free SSL certificate by Rishabh Gupta has enabled several non-profit organizations working with GammaStack to obtain a free SSL certificate.
Are you someone looking for a non-profit fundraising software solution or a charity donation platform? Then GammaStack is the ideal pick. We at GammaStack have equipped several non-profit organizations with feature-loaded non-profit fundraising software solutions, online donor management software, volunteer management software, team fundraising software, crowdfunding platform software and many more.
In addition to this, we also provide custom solutions for all your fundraising campaign needs. Need a solution for your next small or big campaign? Contact GammaStack today!
About the author:
Ruby on Rails developer at GammaStack