Back

Implementing SSL (https)

This assumes that andes is deployed and connected to a cradlepoint.

1. Add a domain name for this deployment using a prefix (e.g. my_new_andes.andes-dfo-mpo.ca) and point this to the cradelpoint IP.
2. Enable port forwarding on the cradlepoint for ports 22 (ssh), 80 (http) and 443 (https) between the cradlepoint’s IP and the servers static IP.
3. Follow the guide at https://certbot.eff.org/instructions?ws=apache&os=ubuntufocal, start by install snap core and certbot:

    sudo snap install core; sudo snap refresh core
    sudo snap install --classic certbot
    sudo ln -s /snap/bin/certbot /usr/bin/certbot
   

4. Allow all traffic in through the cradle point, this is necessary for letsencrypt to verify the server.
5. Comment out (#) the wsgi lines in /etc/apache2/sites-available/000-default.conf

    #    WSGIDaemonProcess andes python-path=/var/www/andes_root/andes python-home=/var/www/andes_root/venv
    #    WSGIProcessGroup andes
    #    WSGIScriptAlias / /var/www/andes_root/andes/andes/wsgi.py
   

6. Request the certificates using the domain name associated with the cradlepoint, select 000-default-conf-le-ssl.conf when offered the choice.

    sudo certbot --apache
   

7. If successful, close the cradlepoint to external traffic.
8. Uncomment the WSGI lines in both /etc/apache2/sites-available/000-default.conf and /etc/apache2/sites-available/000-default-le-ssl.conf. Rename the DaemonProcess and ProcessGroup in one of the .conf to ensure uniqueness, e.g.

    WSGIDaemonProcess andes1 python-path=/var/www/andes_root/andes python-home=/var/www/andes_root/venv
    WSGIProcessGroup andes1
    WSGIScriptAlias / /var/www/andes_root/andes/andes/wsgi.py
   

9. Restart Apache and verify that http and https work.