search

ColectivaLegal / SmsAlertSystem

The WAISN SMS alert system using a RapidSMS server.
0 stars 1 forks source link

Use a real signed cert #17

Closed ErrorsAndGlitches closed 7 years ago

ErrorsAndGlitches commented 7 years ago

Twilio does not permit self-signed certificates. Can probably use "Let's Encrypt": https://letsencrypt.org/

Which is a trusted CA cert in the Firefox CA bundle, which Twilio is based on.

Firefox bundle: https://wiki.mozilla.org/CA/Included_Certificates Twilio doc: https://www.twilio.com/blog/2016/02/security-update-on-ssl-certificate-validation.html

SSL will need to be re-enabled in the Twilio Account.

ErrorsAndGlitches commented 7 years ago

Instructions on how to install certbot: https://certbot.eff.org/#centosrhel7-apache

Instructions on how to enable EPEL: https://aws.amazon.com/premiumsupport/knowledge-center/ec2-enable-epel/

ErrorsAndGlitches commented 7 years ago

Amazon Linux is based on RHEL 6, so the installation instructions (first link) won't work.

ErrorsAndGlitches commented 7 years ago

Things aren't working, probably because SSL is already enabled with a self-signed cert.

ErrorsAndGlitches commented 7 years ago

Ran manually:

sudo ./certbot-auto \
   --manual \
   --staging \
   -m waisntechteam@lists.mayfirst.org \
   -d rapidsms-alert-sys-env.h8iff8nwke.us-west-2.elasticbeanstalk.com \
   certonly

Cert will expire 2017-11-04.

ErrorsAndGlitches commented 7 years ago

In the future, it would make more sense to just register a domain name and use that with AWS Certifiicate Manager rather than jumping through all these hoops.

ErrorsAndGlitches commented 7 years ago

WOO! In the previous command, I was using staging because there is a 5 error limit per hour on the non-staging endpoint and so while figuring out to use the manual approach, I reached the limit. After getting everything installed with the staging, I forgot to repeat the steps when hitting the prod end-point hence Twilio was still not working with SSL enabled.

After going through the steps again (which really wasn't that bad after figuring it out), Twilio requests with SSL now work. The steps are essentially:

  1. Use the manual approach command: 
    sudo ./certbot-auto \
--manual \
-m waisntechteam@lists.mayfirst.org \
-d rapidsms-alert-sys-env.h8iff8nwke.us-west-2.elasticbeanstalk.com \
certonly
  2. You will need to make a file available via the Apache server - create the file somewhere with permissions that allow wsgi user access and update the /etc/httpd/conf.d/wsgi.conf file to permit access to the created file using the correct local mapping. Access can be tested in a browser before having certbot verify it.
  3. Import the cert using the AWS Console - the service name is Certificate Manager.
  4. In Elastic Beanstalk, go to the network configuration settings and use the cert that was previously imported.