Installing Letsencrypt SSL certificate on Amazon Linux

I wrote about installing AWS SSL certificate on Elastic Beanstalk and installing Letsencrypt certificate on Windows 2003 server. Now, I’d like to go over how to install the free SSL certificate that Letsencrypt provides on an Amazon Linux instance.

Prerequisites for letsencrypt certificate

I’m gonna assume you already have a server configured with httpd. If not, refer to this guide by Amazon. The only component you’ll need is mod24_ssl that enables https connection, so execute:

sudo yum install -y mod24_ssl

You’ll also need certbot.

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

Obtain the certificate

Run the certbot script with the following command. The first time certbot script runs, it will try to download and install all the necessary dependencies. You will also need to agreed to the ToS and enter an email address for renewals notices. Use certonly option to obtain the certificates only and skip the installation process. The certbot script doesn’t fully support Amazon Linux yet, so you will also need to add –debug option.

sudo ./certbot-auto certonly --debug

Follow the prompt to enter the domain name(s). You can also specify them with -d domainname.com command-line option.

When prompted for “How would you like to authenticate with the ACME CA?” Choose option “3: Place files in webroot directory (webroot)“. The apache option failed to work on Amazon Linux when I tried it. If the webroot was entered correctly, the certbot will create .well-known folder within it and automatically check that it exists under the domain’s url. If you specified multiple domains, webroot will have to be entered for each domain.

If you get a success message, then you’ve got an SSL certificate!

Configure httpd for https redirect

If you already have a web app running, you probably have a virtual host configuration for it in /etc/httpd/conf/httpd.conf or in /etc/httpd/conf.d/your-configuration.conf. Add the following configuration to httpd.conf or create a new .conf file under /etc/httpd/conf.d directory.


    DocumentRoot /var/www/html/webroot
    ServerName yourdomain.com
    ServerAlias www.yourdomain.com

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/yourdomain.com/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain.com/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateChainFile /etc/letsencrypt/live/yourdomain.com/chain.pem

Customize the configuration to match your setup. Restart httpd service to enable this https configuration.

sudo service httpd restart

Setup a http redirect to https by adding the following redirect directive to your http (the one for port 80, NOT 443!) configuration.

Redirect / https://yourdomain.com

This will redirect all http requests to https. Very simple!

Schedule automatic renewal

Letsencrypt certificates are valid for maximum of 90 days. You will have to renew them before the expiration date. The easiest way to automate the renewal task is through cron, so let’s schedule it. Open up crontab for edit with:

sudo crontab -e

Add the following line.

0 0,12 * * * /home/ec2-user/certbo-auto renew --debug

This will schedule certificate renewals at noon and midnight of every day (every 12 hours).

To make sure it will run properly, test the renewal process by doing a dry run.

sudo ./certbot-auto renew --dry-run

You will get a “Failed authorization procedure” error. What!? Why? I’m not exactly sure, but it turns out when you set up a http to https redirect, either certbot fails to recognize the https redirect or https fails to serve that particular file. The solution is to add an exception to the https redirect. Modify the redirect directive in the http virtual host configuration to the following.

Redirect /(!.well-known) https://yourdomain.com

This will redirect all requests to https EXCEPT the .well-known directory so that the renewal requests will go through and be verified successfully.

Try another renewal dry-run. It should complete without any errors.

Now with automatic renewal, you won’t ever have to worry about the SSL certificates expiring.

1 thought on “Installing Letsencrypt SSL certificate on Amazon Linux

  1. Francis Rodrigues

    I received the error during generate a certificate:

    Failed authorization procedure. my-site.elasticbeanstalk.com (http-01): urn:acme:error:unauthorized

    log output below:

    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator standalone, Installer None
    Obtaining a new certificate
    Performing the following challenges:
    http-01 challenge for my-site.elasticbeanstalk.com
    Waiting for verification…
    Cleaning up challenges
    Failed authorization procedure. my-site.elasticbeanstalk.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization

    Can you help me?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.