===== DokuWiki Amazon Linux 2 =====
This is how I installed DokuWiki on Amazon Linux 2 and configured automatic updating of the SSL certificate. This installation was done on-prem for a private wiki that is not publicly accessible. Because of this Lets Encrypt certificate validation does not happen on the instance itself.
{{tag>AWS Linux DokuWiki NSS Apache LetsEncrypt}}
==== Install Prerequisites ====
If you plan to run DokuWiki on an AWS EC2 instance you may want to use EFS for the ''/var/www/'' directory. I have directions on how I did this on the page [[dokuwiki:aws|DokuWiki Amazon Web Services (AWS)]].
Use the command ''amazon-linux-extras'' to enable the PHP 7.4 and the Extra Packages for Enterprise Linux (EPEL) repositories.
sudo amazon-linux-extras install php7.4 epel
Install Apache, the NSS module, PHP, and the needed PHP modules. I allowed dependency resolution of mod_nss and the PHP modules to install Apache and PHP.
sudo yum -y install mod_nss php-gd php-xml php-geshi php-email-address-validation
Update everything else and reboot.
sudo yum -y upgrade
sudo shutdown -r now
List the installed kernels, find the running kernel version, and remove unneeded kernels.
rpm -qa kernel
uname -a
sudo yum -y erase kernel-4.14.123-111.109.amzn2.x86_64
==== Install DokuWiki ====
Download and extract DokuWiki.
curl -O https://download.dokuwiki.org/src/dokuwiki/dokuwiki-stable.tgz
tar zxvf dokuwiki-stable.tgz
Install DokuWiki by copying to the Apache document root directory and changing ownership to the apache user.
sudo cp -R ~/dokuwiki/* /var/www/html/
sudo chown -R apache:apache /var/www/html/*
Restrict permissions on key directories so they are not world readable.
sudo chmod -R 700 /var/www/html/data
sudo chmod -R 700 /var/www/html/config
sudo chmod -R 700 /var/www/html/conf
sudo chmod -R 700 /var/www/html/inc
sudo chmod -R 700 /var/www/html/vendor
sudo chmod -R 700 /var/www/html/lib/plugins/
sudo chmod -R 700 /var/www/html/lib/tpl/
Edit the Apache configuration to restrict key directories even further.
sudo vim /etc/httpd/conf/httpd.conf
Only changes to the file are listed below, the rest of the file was unmodified.
# Add the following line
Options FollowSymLinks
# Change the following line
#Options Indexes FollowSymLinks
Options Indexes FollowSymLinks MultiViews
# Change the following line to allow .htaccess to enable the rewrite engine
#AllowOverride Nome
AllowOverride All
# Add the following two lines
Order allow,deny
allow from all
# Add the following section after the section
Order allow,deny
Deny from all
Satisfy All
==== Install SSL Certificate ====
I have a Lambda function that will launch an EC2 instance that automatically generates and updates a [[aws:lambda:letsencrypt_wildcard|Let's Encrypt wildcard certificate]]. The process below will download the pre-generated certificate and use that for the certificate installation. If you are using an existing certificate you can first convert it to P12 format by using my [[linux:openssl|OpenSSL Cheat Sheet]].
\\
\\
Configure the AWS CLI if you are installing on-prem. Otherwise assign an IAM role to the EC2 instance that allows the instance to download the P12 file from S3 and retrieve the value of the encrypted Systems Manger Parameter Secure String.
aws configure
Download the certificate in P12 form from S3 to the current directory.
aws s3 cp s3://S3BUCKETNAME/DOMAIN.TLD.p12 ./
Obtain the P12 file password from the appropriate Systems Manager parameter secure string and install the certificate into the Apache NSS certificate database.
sudo pk12util -i DOMAIN.TLD.p12 -d /etc/httpd/alias/ -W $(aws ssm get-parameter --name "/DOMAIN.TLD/p12password" --with-decryption --output text --query 'Parameter.Value')
Verify the certificate is installed in the Apache NSS certificate database and find the certificate's nickname.
sudo certutil -d /etc/httpd/alias/ -L
Update the NSS configuration to use the newly installed certificate by its nickname and change the port from 8443 to 443.
sudo vim /etc/httpd/conf.d/nss.conf
Only changes to the file are listed below, the rest of the file was unmodified.
# Change the following line
#Listen 8443
Listen 443
# Change the following line
#
# Change the following line. Quotes surround the nickname since it contains spaces.
#NSSNickname Server-Cert
NSSNickName "*.DOMAIN.TLD - Let's Encrypt"
Add a new ''.htaccess'' file to redirect HTTP to HTTPS.
sudo vim /var/www/html/.htaccess
sudo chown apache:apache /var/www/html/.htaccess
sudo chmod 600 /var/www/html/.htaccess
RewriteEngine on
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}/$1 [R,L]
==== Complete Installation ====
Restart the ''php-fpm'' service, start the Apache service, and enable Apache to start on boot.
sudo systemctl restart php-fpm
sudo systemctl start httpd
sudo systemctl enable httpd
Complete installation by visiting https://WIKI.DOMAIN.TLD/install.php and then delete the ''install.php'' file.
sudo rm /var/www/html/install.php
==== Configure Auto Updating of Certificate =====
Create the script that downloads the certificate, installs the certificate, and then restarts Apache. Create a cron job to runt he script at regular intervals. The script could be updated to also perform date comparison checks so the certificate download and installation is skipped when not needed.
sudo vim /root/install_ssl.sh
sudo chmod 755 /root/install_ssl.sh
sudo crontab -e
#!/bin/bash
date
aws s3 cp s3://S3BUCKETNAME/DOMAIN.TLD.p12 /root/
pk12util -i /root/DOMAIN.TLD.p12 -d /etc/httpd/alias/ -W $(aws ssm get-parameter --name "/DOMAIN.TLD/p12password" --with-decryption --output text --query 'Parameter.Value')
systemctl restart httpd
date
1 1 */16 * * /root/install_ssl.sh > /root/install_ssh.log