SSL_setup_on_aws - mtholyoke/JupyterHub-on-AWS GitHub Wiki
Setting up SSL Certificates on an AWS VM
Requirements
- AWS VM (confirmed on Ubuntu 20.04)
- MHC URL directed at AWS Elastic IP
- Certificate generated by LITS (or some other certificate authority)
Collect the required files
To get https working three files are needed:
- key file
- a regular certificate
- intermediate certificate
The key file will be provided by LITS in via Google Drive or some other file sharing system.
The two certificate files will need to be requested from our Certificate Authority. An email with the subject "Enrollment Successful - Your SSL certificate for dsjupyterhub.mtholyoke.edu is ready" be generated with links to download these files. There should be one email for each URL. Two files should be downloaded from the email by following two links:
- Available formats:
- as Certificate only, PEM encoded
- Issuing CA certificates only:
- as Root/Intermediate(s) only, PEM encoded
These two files should be listed first under the respective headers.
Move the files to the VM
Use spc to move the files. This is fairly straight forward, except for the fact that you use a key file to log on. Keep in mind that scp should be done from the command line on the local machine BEFORE you have used ssh to log on to the VM. The syntax is as follows, and it must be done for the three files that need to be moved:
scp -i ~/Desktop/test_server_RSA.pem ~/Desktop/JH_certs/DS/dsjupyterhub.mtholyoke.edu.key [email protected]:/home/ubuntu
scp -i ~/Desktop/test_server_RSA.pem ~/Desktop/JH_certs/DS/dsjupyterhub_mtholyoke_edu_cert.cer [email protected]:/home/ubuntu
scp -i ~/Desktop/test_server_RSA.pem ~/Desktop/JH_certs/DS/dsjupyterhub_mtholyoke_edu_interm.cer [email protected]:/home/ubuntu
Notes:
- File paths could be updated so the files land the right folders
- AWS may not allow scp to overwrite existing files. Transfer the files, you need to make sure files with the same names are deleted.
Move the files to the correct folders
ssh into the VM where the certificates were moved and move the files to the correct locations
sudo mv dsjupyterhub.mtholyoke.edu.key /etc/ssl/private
sudo mv dsjupyterhub_mtholyoke_edu_cert.cer /etc/ssl/certs
sudo mv dsjupyterhub_mtholyoke_edu_interm.cer /etc/ssl/certs
Update permissions
Using this ASW documentation update the permissions as follows:
Permissions for cert
Commands
ls -al /etc/ssl/certs/dsjupyterhub_mtholyoke_edu_cert.cer
sudo chown root:root /etc/ssl/certs/dsjupyterhub_mtholyoke_edu_cert.cer
sudo chmod 600 /etc/ssl/certs/dsjupyterhub_mtholyoke_edu_cert.cer
ls -al /etc/ssl/certs/dsjupyterhub_mtholyoke_edu_cert.cer
Console session
ubuntu@ip-172-31-26-27:~$ ls -al /etc/ssl/certs/dsjupyterhub_mtholyoke_edu_cert.cer
-rw-r--r-- 1 ubuntu ubuntu 2394 Aug 22 19:09 /etc/ssl/certs/dsjupyterhub_mtholyoke_edu_cert.cer
ubuntu@ip-172-31-26-27:~$ sudo chown root:root /etc/ssl/certs/dsjupyterhub_mtholyoke_edu_cert.cer
ubuntu@ip-172-31-26-27:~$ sudo chmod 600 /etc/ssl/certs/dsjupyterhub_mtholyoke_edu_cert.cer
ubuntu@ip-172-31-26-27:~$ ls -al /etc/ssl/certs/dsjupyterhub_mtholyoke_edu_cert.cer
-rw------- 1 root root 2394 Aug 22 19:09 /etc/ssl/certs/dsjupyterhub_mtholyoke_edu_cert.cer
Permissions for interm
Commands
ls -al /etc/ssl/certs/dsjupyterhub_mtholyoke_edu_interm.cer
sudo chown root:root /etc/ssl/certs/dsjupyterhub_mtholyoke_edu_interm.cer
sudo chmod 644 /etc/ssl/certs/dsjupyterhub_mtholyoke_edu_interm.cer
ls -al /etc/ssl/certs/dsjupyterhub_mtholyoke_edu_interm.cer
Console session
ubuntu@ip-172-31-26-27:~$ ls -al /etc/ssl/certs/dsjupyterhub_mtholyoke_edu_interm.cer
-rw-r--r-- 1 ubuntu ubuntu 5614 Aug 22 19:08 /etc/ssl/certs/dsjupyterhub_mtholyoke_edu_interm.cer
ubuntu@ip-172-31-26-27:~$ sudo chown root:root /etc/ssl/certs/dsjupyterhub_mtholyoke_edu_interm.cer
ubuntu@ip-172-31-26-27:~$ sudo chmod 644 /etc/ssl/certs/dsjupyterhub_mtholyoke_edu_interm.cer
ubuntu@ip-172-31-26-27:~$ ls -al /etc/ssl/certs/dsjupyterhub_mtholyoke_edu_interm.cer
-rw-r--r-- 1 root root 5614 Aug 22 19:08 /etc/ssl/certs/dsjupyterhub_mtholyoke_edu_interm.cer
Permissions for key
Commands
ls -al /etc/ssl/private/dsjupyterhub.mtholyoke.edu.key
sudo ls -al /etc/ssl/private/dsjupyterhub.mtholyoke.edu.key
sudo chown root:root /etc/ssl/private/dsjupyterhub.mtholyoke.edu.key
sudo chmod 600 /etc/ssl/private/dsjupyterhub.mtholyoke.edu.key
sudo ls -al /etc/ssl/private/dsjupyterhub.mtholyoke.edu.key
Console session
ubuntu@ip-172-31-26-27:~$ ls -al /etc/ssl/private/dsjupyterhub.mtholyoke.edu.key
ls: cannot access '/etc/ssl/private/dsjupyterhub.mtholyoke.edu.key': Permission denied
ubuntu@ip-172-31-26-27:~$ sudo ls -al /etc/ssl/private/dsjupyterhub.mtholyoke.edu.key
-rw-r--r-- 1 ubuntu ubuntu 1704 Aug 22 19:07 /etc/ssl/private/dsjupyterhub.mtholyoke.edu.key
ubuntu@ip-172-31-26-27:~$ sudo chown root:root /etc/ssl/private/dsjupyterhub.mtholyoke.edu.key
ubuntu@ip-172-31-26-27:~$ sudo chmod 600 /etc/ssl/private/dsjupyterhub.mtholyoke.edu.key
ubuntu@ip-172-31-26-27:~$ sudo ls -al /etc/ssl/private/dsjupyterhub.mtholyoke.edu.key
-rw------- 1 root root 1704 Aug 22 19:07 /etc/ssl/private/dsjupyterhub.mtholyoke.edu.key
Configure HTTPS on JupyterHub
Refer to TLJH documentation which includes the following instructions:
Commands
sudo tljh-config show
sudo tljh-config set https.enabled true
sudo tljh-config set https.tls.key /etc/ssl/private/dsjupyterhub.mtholyoke.edu.key
sudo tljh-config set https.tls.cert /etc/ssl/certs/dsjupyterhub_mtholyoke_edu_cert.cer
sudo tljh-config show
sudo tljh-config reload proxy
Console session
ubuntu@ip-172-31-26-27:~$ sudo tljh-config show
users:
admin:
- beniam
ubuntu@ip-172-31-26-27:~$ sudo tljh-config set https.enabled true
ubuntu@ip-172-31-26-27:~$ sudo tljh-config set https.tls.key /etc/ssl/private/dsjupyterhub.mtholyoke.edu.key
ubuntu@ip-172-31-26-27:~$ sudo tljh-config set https.tls.cert /etc/ssl/certs/dsjupyterhub_mtholyoke_edu_cert.cer
ubuntu@ip-172-31-26-27:~$ sudo tljh-config show
users:
admin:
- beniam
https:
enabled: true
tls:
key: /etc/ssl/private/dsjupyterhub.mtholyoke.edu.key
cert: /etc/ssl/certs/dsjupyterhub_mtholyoke_edu_cert.cer
ubuntu@ip-172-31-26-27:~$ sudo tljh-config reload proxy
active
Proxy reload with new configuration complete