January 4, 2020

Setup HTTPS on Open edX Using Certbot

By default Open edX does not provide an SSL configuration, but we can add it manually. As per the topic of this article, here I will enable HTTPS on Open edX using Certbot.

Certbot is a new breakthrough from the Let’s Encrypt Web Security Certificate Provider where Lets Encrypt provides SSL for free.

Note: In the following example, in Open edX I point Course Management System (CMS) using the domain studio.e-Learning.sibunglon.com while Learning Management System (LMS) using the domain e-Learning.sibunglon.com.

Setup HTTPS Open edX:

  1. Log in to the Open edX server.

  2. Open the file /etc/nginx/sites-enabled/lms and find the following script snippet. Please use your favorite text editor.

Note: Before updating the config, the initial configuration file should be backed up first. For backups, use the command sudo cp /etc/nginx/sites-enabled/lms ~/.

...
  listen 80 default_server;
...

Delete or comment on the LMS port configuration, then add the domain configuration.

...
  #listen 80 default_server;
  server_name e-Learning.sibunglon.com;
...
  1. Open the file /etc/nginx/sites-enabled/cms and find the following script snippet. Please use your favorite text editor.

Note: Before updating the config, the initial configuration file should be backed up first. For backups, use the command sudo cp /etc/nginx/sites-enabled/cms ~/.

...
  listen 18010;
...

Delete or comment on the CMS port configuration, then add the domain configuration.

...
  #listen 18010;
  server_name studio.e-Learning.sibunglon.com;
...
  1. Install certbot
$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-nginx 
  1. Generate a web security certificate (SSL) and enable HTTPS.

-) If you want to use 1 domain 1 SSL, generate SSL 1 per 1 as well as follows.

$ sudo certbot --nginx -d e-Learning.sibunglon.com

Re-generate SSL for CMS.

-) If you want to use 1 SSL for 2 domains (LMS and CMS), then the command is as follows:

sudo certbot --nginx -d e-Learning.sibunglon.com -d studio.e-Learning.sibunglon.com

If the Open EdX server does not currently use certbot, when running the SSL generate command:

-) You will be asked to enter an email. The email is used to send notifications at a later time if SSL will expire.

-) You are asked to read the Terms of Service and will be given 2 choices, which are (A) gree if you want to continue generating and C to cancel the SSL generate process.

-) Do you want to receive e-mails from the certbot team about their work that encrypts the web, EFF news, campaigns, and ways to support digital freedom. If you want to receive the email, input Y but if you don’t want to receive the email then input N.

When the SSL generation process is complete, you are asked to choose whether to direct HTTP traffic to HTTPS, or you can still use HTTP. If you want to redirect HTTP traffic to HTTPS then input 2, whereas if you do not want to redirect HTTP traffic to HTTPS then input 1.

More or less like the following output I mean from these points.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): [email protected]
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N

Starting new HTTPS connection (1): supporters.eff.org

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled 

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=e-Learning.sibunglon.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/e-Learning.sibunglon.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/e-Learning.sibunglon.com/privkey.pem
   Your cert will expire on 2020-04-02. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

After this, HTTPS Open edX should be active, please try to access CMS and LMS using the domain.