Here is a step by step guide on how to setup Lets Encrypt free SSL certificate on an AWS EC2 instance with Amazon linux OS. Cerbot client is used to generate the certificates.
Currently Lets Encrypt does not officially supports for Amazon Linux OS. But you can use Certbot client in debug mode to install a free SSL certificate on your AWS EC2 instance.
Installing Certbot client
Execute following commands to install Certbot client
wget https://dl.eff.org/certbot-auto
sudo mv certbot-auto /usr/local/bin/certbot-auto
sudo chown root /usr/local/bin/certbot-auto
sudo chmod 0755 /usr/local/bin/certbot-auto
Generating a SSL certificate from Lets Encrypt using Certbot
Execute following command to generate a SSL certificate from Lets Encrypt. Make sure to replace your website path and domain.
sudo /usr/local/bin/certbot-auto certonly --debug --webroot -w /var/www/html/<your_website_path> -d <your_domain>
First of all this command installs a set of libraries in your AWS EC2 instance which are required to generate SSL certificates.
Make sure to provide a valid email address during the process to ensure you get email alerts from Lets Encrypt regarding the status of your SSL certificate.
Finally certbot will generate certificate files required to enable SSL on your website. You may find them in following path,
/etc/letsencrypt/live/<your_domain>/
privkey.pem
: the private key for your certificate.fullchain.pem
: the certificate file used in most server software.chain.pem
: used for OCSP stapling in Nginx >=1.3.7.cert.pem
: server certificate
Configuring Apache web server to use SSL certificates
Next we have to configure Apache web server to use generated SSL certificates.
First of all make sure you have installed mod_ssl in your AWS instance. Use following command to install mod_ssl,
sudo yum install mod24_ssl
Then add following lines in your Apache configuration file(httpd.conf) to enable SSL.
<VirtualHost *:443>
DocumentRoot /var/www/<your_domain>
ServerName <your_domain>
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/<your_domain>/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/<your_domain>/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/<your_domain>/chain.pem
</VirtualHost>
Restart Apache web server using following command
sudo service httpd restart
Opening 443 port in AWS EC2 instance for HTTPS
Then we have to make sure port 443 of the EC2 instance is opened in your AWS security settings.
- Log in to AWS console
- Go to Services > EC2
- On the left navigation, under Network & Security go to Security Groups.
- Select the appropriate security group which governs your EC2 instance.
- Select Inbound tab
- Add a rule to open 443 port for TCP traffic
Test SSL certificate
Visit https://<your_domain> to verify the SSL enabled website
Add cron to auto renew Lets Encrypt SSL certificate
You can use Certbot to automatically renew Lets Encrypt SSL certificate. Edit linux crontab and add following line. This would setup a crontab to check and renew SSL certificate if required.
crontab -e
15 0,12 * * * /usr/local/bin/certbot-auto renew >/dev/null 2>&1
Comments