Nerdy Drunk

This is how I installed DokuWiki on Amazon Linux 2 and configured automatic updating of the SSL certificate. This installation was done on-prem for a private wiki that is not publicly accessible. Because of this Lets Encrypt certificate validation does not happen on the instance itself.

If you plan to run DokuWiki on an AWS EC2 instance you may want to use EFS for the /var/www/ directory. I have directions on how I did this on the page DokuWiki Amazon Web Services (AWS).

Use the command amazon-linux-extras to enable the PHP 7.4 and the Extra Packages for Enterprise Linux (EPEL) repositories.

sudo amazon-linux-extras install php7.4 epel

Install Apache, the NSS module, PHP, and the needed PHP modules. I allowed dependency resolution of mod_nss and the PHP modules to install Apache and PHP.

sudo yum -y install mod_nss php-gd php-xml php-geshi php-email-address-validation

Update everything else and reboot.

sudo yum -y upgrade
sudo shutdown -r now

List the installed kernels, find the running kernel version, and remove unneeded kernels.

rpm -qa kernel
uname -a
sudo yum -y erase kernel-4.14.123-111.109.amzn2.x86_64

Download and extract DokuWiki.

curl -O https://download.dokuwiki.org/src/dokuwiki/dokuwiki-stable.tgz
tar zxvf dokuwiki-stable.tgz

Install DokuWiki by copying to the Apache document root directory and changing ownership to the apache user.

sudo cp -R ~/dokuwiki/* /var/www/html/
sudo chown -R apache:apache /var/www/html/*

Restrict permissions on key directories so they are not world readable.

sudo chmod -R 700 /var/www/html/data
sudo chmod -R 700 /var/www/html/config
sudo chmod -R 700 /var/www/html/conf
sudo chmod -R 700 /var/www/html/inc
sudo chmod -R 700 /var/www/html/vendor
sudo chmod -R 700 /var/www/html/lib/plugins/
sudo chmod -R 700 /var/www/html/lib/tpl/

Edit the Apache configuration to restrict key directories even further.

sudo vim /etc/httpd/conf/httpd.conf

Only changes to the file are listed below, the rest of the file was unmodified.

httpd.conf

    <Directory />
        # Add the following line
        Options FollowSymLinks
    </Directory>

    <Directory "/var/www/html">
        # Change the following line
        #Options Indexes FollowSymLinks
        Options Indexes FollowSymLinks MultiViews

        # Change the following line to allow .htaccess to enable the rewrite engine
        #AllowOverride Nome
        AllowOverride All

        # Add the following two lines
        Order allow,deny
        allow from all
    <Directory>

    # Add the following section after the section <Directory "/var/www/html">
    <LocationMatch "/(data|conf|bin|inc|vendor)/">
        Order allow,deny
        Deny from all
        Satisfy All
    </LocationMatch>

I have a Lambda function that will launch an EC2 instance that automatically generates and updates a Let's Encrypt wildcard certificate. The process below will download the pre-generated certificate and use that for the certificate installation. If you are using an existing certificate you can first convert it to P12 format by using my OpenSSL Cheat Sheet.

Configure the AWS CLI if you are installing on-prem. Otherwise assign an IAM role to the EC2 instance that allows the instance to download the P12 file from S3 and retrieve the value of the encrypted Systems Manger Parameter Secure String.

aws configure

Download the certificate in P12 form from S3 to the current directory.

aws s3 cp s3://S3BUCKETNAME/DOMAIN.TLD.p12 ./

Obtain the P12 file password from the appropriate Systems Manager parameter secure string and install the certificate into the Apache NSS certificate database.

sudo pk12util -i DOMAIN.TLD.p12 -d /etc/httpd/alias/ -W $(aws ssm get-parameter --name "/DOMAIN.TLD/p12password" --with-decryption --output text --query 'Parameter.Value')

Verify the certificate is installed in the Apache NSS certificate database and find the certificate's nickname.

sudo certutil -d /etc/httpd/alias/ -L

Update the NSS configuration to use the newly installed certificate by its nickname and change the port from 8443 to 443.

sudo vim /etc/httpd/conf.d/nss.conf

Only changes to the file are listed below, the rest of the file was unmodified.

nss.conf

    # Change the following line
    #Listen 8443
    Listen 443

    # Change the following line
    #<VirtualHost _default_:8443>
    <VirtualHost _default_:443>

    # Change the following line. Quotes surround the nickname since it contains spaces.
    #NSSNickname Server-Cert
    NSSNickName "*.DOMAIN.TLD - Let's Encrypt"

Add a new .htaccess file to redirect HTTP to HTTPS.

sudo vim /var/www/html/.htaccess
sudo chown apache:apache /var/www/html/.htaccess
sudo chmod 600 /var/www/html/.htaccess

.htaccess

    RewriteEngine on
    RewriteCond %{HTTPS} !on
    RewriteRule (.*) https://%{HTTP_HOST}/$1 [R,L]

Restart the php-fpm service, start the Apache service, and enable Apache to start on boot.

sudo systemctl restart php-fpm
sudo systemctl start httpd
sudo systemctl enable httpd

Complete installation by visiting https://WIKI.DOMAIN.TLD/install.php and then delete the install.php file.

sudo rm /var/www/html/install.php

Create the script that downloads the certificate, installs the certificate, and then restarts Apache. Create a cron job to runt he script at regular intervals. The script could be updated to also perform date comparison checks so the certificate download and installation is skipped when not needed.

sudo vim /root/install_ssl.sh
sudo chmod 755 /root/install_ssl.sh
sudo crontab -e

install_ssl.sh

#!/bin/bash

date
aws s3 cp s3://S3BUCKETNAME/DOMAIN.TLD.p12 /root/
pk12util -i /root/DOMAIN.TLD.p12 -d /etc/httpd/alias/ -W $(aws ssm get-parameter --name "/DOMAIN.TLD/p12password" --with-decryption --output text --query 'Parameter.Value')
systemctl restart httpd
date

crontab

1 1 */16 * * /root/install_ssl.sh > /root/install_ssh.log