Cloud Platform
Using Let's Encrypt SSL on Acquia Cloud
Let's Encrypt, is a Certificate Authority that provides free certificates, and has a mission of enabling SSL everywhere.
This article is intended as a guide to assist with the installation of the LetsEncrypt SSL certificate on to the Acquia Cloud platform.
Note that this guide assumes you are using OSX/Linux.
A Warning Note
Acquia does not support automated renewal of LetsEncrypt certificates. When your certificate comes up for renewal (which, by default for LetsEncrypt, is 90 days), you will need to re-upload a new certificate using the SSL self-service functionality on Acquia Cloud.
Overall Steps
1. Install certbot locally (see https://eff-certbot.readthedocs.io/en/stable/install.html)
2. Update .htaccess file in your codebase
RewriteRule "(^|/)." - [F]', add the following snippet :RewriteRule "^.well-known/acme-challenge" - [L]'3. Run the command :
certbot --manual certonly
4. Create files in docroot/.well-known/acme-challenge as per instructions
5. Commit your changes using :
git add
git commit
git push
(Optional) If you are using Pipelines, then perform a build, if you need to.
6. Go to /etc/letsencrypt/live/ on your local machine for the certificate files.
7. Install the certificate, private key, chain in the Acquia Cloud SSL Self Service UI.
Detailed Steps
1. Note that this guide assumes you are using OSX/Linux.
Download certbot a command line tool from the EFF for managing SSL certificates with Let's Encrypt. Select Apache and then your appropriate OS from the dropdown.
2. Run sudo certbot certonly --manual --no-eff-email --agree-tos -m [EMAIL] -d [DOMAIN_1] -d [DOMAIN_N] replacing [DOMAIN] and [EMAIL] with your email and the domains you want the certificate to cover. You will be presented with:
-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: Y... select Y in order to continue.
A Warning Note
After selecting Y and pressing enter the script will show you the data and file to create and a message:
"Press Enter to Continue"
Do NOT press enter to continue.
You will be presented with:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Create a file containing just this data:
[LONG-STRING-DATA]
And make it available on your web server at this URL:
http://[DOMAIN]/.well-known/acme-challenge/[LONG-STRING]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to ContinuePause the process at this point.
3. For Drupal 7 you can just use the module letsencrypt_challenge which allows you to set some output for an http://[DOMAIN]/.well-known/acme-challenge/[LONG-STRING] url easily.
4. Manual method for Drupal 8 or 7
4.1. Without pressing the Enter, clone your repository(see here).
4.2. Create the challenge directory and place the file in it. In your repository docroot create a file inside a newly created directory replacing [LONG-STRING] with the one from prompt when you paused the process (see above):
$ mkdir -p .well-known/acme-challenge
$ touch .well-known/acme-challenge/[LONG-STRING]4.3. In a text editor open the file and paste the [LONG-STRING-DATA] provided by the certbot prompt in the file and save it.
4.4. Add and commit to git all the changes (see Sending updates to your code repository) and deploy the branches/tags containing the changes to the Acquia environment you wish (see Code workflows with Acquia Cloud).
A Warning Note
This is time sensitive. You will need to create, commit and deploy this file to your site quickly and resume the certbot process. Otherwise the certbot will time out and you will receive an error meage.
5. Resuming certbot, you can now press enter in the terminal. You should see:
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/[domain]/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/[domain]/privkey.pem
Your cert will expire on [date]. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le6. Copy the contents of the certificate you just generated on your local machine to the Acquia Cloud interface SSL page.
6.1. On your local machine you can view the content of the pem files using the following commands (the default location is /etc/letsencrypt/live/[domain]/) :
$ sudo cat /etc/letsencrypt/live/[domain]/fullchain.pem
$ sudo cat /etc/letsencrypt/live/[domain]/privkey.pem6.2. Following Managing SSL certificates once you reach step 4, you should populate the fields with the contents of the fullchain.pem and privkey.pem. Note that the first entry of fullchain.pem gs in the SSL certificate field.
7. You can now proceed to the next steps of Managing SSL certificates to Activate the certificate.
If you are using Drupal 8 and 7.55 or earlier your .htaccess file should need some setting up.
Look for the FilesMatch directive. It should be at the very top of the .htaccess file and include (\.(?!well-known).* here is an example:
# Protect files and directories from prying eyes.
<FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock))$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$">
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order allow,deny
</IfModule>
</FilesMatch>In addition to the above look for the mod_rewrite section further down the .htaccess file it should include ^\.(?!well-known/). Here is an example:
# Various rewrite rules.
<IfModule mod_rewrite.c>
RewriteEngine on
# If you do not have mod_rewrite installed, you should remove these
# directories from your webroot or otherwise protect them from being
# downloaded.
RewriteRule "/\.|^\.(?!well-known/)" - [F]
</IfModule>
Cloud Platform