I wrote about installing AWS SSL certificate on Elastic Beanstalk and installing Letsencrypt certificate on Windows 2003 server. Now, I’d like to go over how to install the free SSL certificate that Letsencrypt provides on an Amazon Linux instance.
Prerequisites for letsencrypt certificate
I’m gonna assume you already have a server configured with httpd. If not, refer to this guide by Amazon. The only component you’ll need is mod24_ssl that enables https connection, so execute:
sudo yum install -y mod24_ssl
You’ll also need certbot.
wget https://dl.eff.org/certbot-auto chmod a+x certbot-auto
Obtain the certificate
Run the certbot script with the following command. The first time certbot script runs, it will try to download and install all the necessary dependencies. You will also need to agreed to the ToS and enter an email address for renewals notices. Use certonly option to obtain the certificates only and skip the installation process. The certbot script doesn’t fully support Amazon Linux yet, so you will also need to add –debug option.
sudo ./certbot-auto certonly --debug
Follow the prompt to enter the domain name(s). You can also specify them with -d domainname.com command-line option.
When prompted for “How would you like to authenticate with the ACME CA?” Choose option “3: Place files in webroot directory (webroot)“. The apache option failed to work on Amazon Linux when I tried it. If the webroot was entered correctly, the certbot will create .well-known folder within it and automatically check that it exists under the domain’s url. If you specified multiple domains, webroot will have to be entered for each domain.
If you get a success message, then you’ve got an SSL certificate!
Configure httpd for https redirect
If you already have a web app running, you probably have a virtual host configuration for it in /etc/httpd/conf/httpd.conf or in /etc/httpd/conf.d/your-configuration.conf. Add the following configuration to httpd.conf or create a new .conf file under /etc/httpd/conf.d directory.
DocumentRoot /var/www/html/webroot ServerName yourdomain.com ServerAlias www.yourdomain.com SSLEngine on SSLCertificateFile /etc/letsencrypt/live/yourdomain.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain.com/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf SSLCertificateChainFile /etc/letsencrypt/live/yourdomain.com/chain.pem
Customize the configuration to match your setup. Restart httpd service to enable this https configuration.
sudo service httpd restart
Setup a http redirect to https by adding the following redirect directive to your http (the one for port 80, NOT 443!) configuration.
Redirect / https://yourdomain.com
This will redirect all http requests to https. Very simple!
Schedule automatic renewal
Letsencrypt certificates are valid for maximum of 90 days. You will have to renew them before the expiration date. The easiest way to automate the renewal task is through cron, so let’s schedule it. Open up crontab for edit with:
sudo crontab -e
Add the following line.
0 0,12 * * * /home/ec2-user/certbo-auto renew --debug
This will schedule certificate renewals at noon and midnight of every day (every 12 hours).
To make sure it will run properly, test the renewal process by doing a dry run.
sudo ./certbot-auto renew --dry-run
You will get a “Failed authorization procedure” error. What!? Why? I’m not exactly sure, but it turns out when you set up a http to https redirect, either certbot fails to recognize the https redirect or https fails to serve that particular file. The solution is to add an exception to the https redirect. Modify the redirect directive in the http virtual host configuration to the following.
Redirect /(!.well-known) https://yourdomain.com
This will redirect all requests to https EXCEPT the .well-known directory so that the renewal requests will go through and be verified successfully.
Try another renewal dry-run. It should complete without any errors.
Now with automatic renewal, you won’t ever have to worry about the SSL certificates expiring.