HTTPS, Hexo, AWS S3 and Let’s Encrypt Adventures

After pushing the blog live, I went straight for HTTPS. As Let’s Encrypt provides certificates for free, cost should not be an issue anymore if you want to make sure that your site’s traffic is encrypted.

HTTPS safeguards the data in transit, protects against man-in-the-middle attacks and provides basic privacy for your customers. As a rule of thumb, you should always use HTTPS.

To implement HTTPS with Let’s Encrypt on your AWS S3 website you need to do the following:

  • Set up your basic S3 bucket and make sure that you can access it from your computer and it’s world readable
  • Install certbot on your machine (if under Windows 10, you can use the built-in Ubuntu)
  • Run the following command sudo certbot certonly –manual –server https://acme-v01.api.letsencrypt.org/directory -d yourdomain.com and follow the instructions
  • Upload the certificates into Amazon Certificate Manager
  • Create a CloudFront distribution for your S3 bucket and configure it to use your certificate and redirect traffic from HTTP to HTTPS
  • Change your name servers if needed and set up Route 53 to point to your CloudFront distribution
  • Your site should now be using from HTTPS!

Problems that I encountered

If you are as unlucky as me, you might encounter a few hiccups during the process:

1
2
3
An unexpected error occurred:
UnicodeEncodeError: 'ascii' codec can't encode characters in position 191-192: ordinal not in range(128)
Please see the logfiles in /var/log/letsencrypt for more details.

For me this was because the challenge/response file that I uploaded was encoded in UTF8 instead of ASCII/ANSI. Make sure that your file contains ASCII only. I used Notepad++ to convert my file into ANSI, which solved this problem.

DNS might be super slow. I was able to access the site from my US VPN, but it took half a day for my local ISP. certbot uses your local connection, so make sure that you are able to access the challenge file from your machine.

CloudFront updates also take a lot of time, so make sure that you wait 15+ minutes to make sure that your configuration changes rolled out. As a rule of thumb, don’t do anything until your CloudFront status is Deployed. Trust me, I learned this the hard way.

Avoid double default document problems. I had the default document set up both in S3 and CloudFront which led to some unexpected behavior. Use S3’s Static website hosting settings instead of CloudFront’s Origin Path.