Let’s Encrypt is one of the most popular methods of installing an SSL certificate for free. It is well known that SSL certificates gain customer trust, as well as improving a website’s ranking in the search engines. Installing a Let’s Encrypt SSL certificate on an AWS AMI Instance requires a few commands to be run on the instance.
It is assumed that you have a website already configured on the instance and installed the relevant components as mentioned in the configuring a PHP website on AWS post.
To start with, ensure that you have installed Apache’s mod_ssl module on the instance. This can be done by running the following command.
$ sudo yum install mod24_ssl
To install a Let’s Encrypt SSL certificate using the Certbot client, firstly the client must be downloaded. The client can be installed using the following commands.
$ wget https://dl.eff.org/certbot-auto $ chmod a+x certbot-auto
This will download a certbot-auto file onto your instance.
To begin installing a Let’s Encrypt SSL, run the following command.
$ sudo /path/to/certbot-auto --debug
Some further packages will be installed, and you will be prompted to enter an email address for any urgent renewal and security notices.
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel):
Continue following the steps provided in the setup process, and you’ll eventually reach the step where you’ll be asked to enter the number of the domains to activate HTTPS for.
Which names would you like to activate HTTPS for? ------------------------------------------------------------------------------- 1: yourdomain.co.uk 2: www.yourdomain.co.uk ------------------------------------------------------------------------------- Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel):
At this point, the DNS A/AAAA record(s) for the domains must contain the correct IP address of the server on which the SSL certificate is being installed. Otherwise, an error will be thrown.
After choosing the domain(s), Certbot will attempt to look within the .well-known directory.
If for some reason Certbot is unable to view the directory, a similar error to the below may appear when running through the installation process.
The client lacks sufficient authorization :: Invalid response from http://www.yourdomain.co.uk/.well-known/acme-challenge/tZwtQKSEZBXNPNm4tt5gxQa_bRTjPFJZeN4JZCtp8
Assuming no error currently exists, continue on and you will be prompted on whether a redirect from HTTP to HTTPS should be put in place.
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. ------------------------------------------------------------------------------- 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. ------------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
Choose you option and the SSL certificate should be installed! You’ll note that Certbot creates a yourdomain.co.uk-le-ssl.conf file within the /etc/httpd/conf.d directory that contains the vhosts configuration for HTTPS.
Let’s Encrypt certificates last 90 days, and therefore needs to be renewed from time to time.
You can configure automatic renewals on the instance’s crontab. For example, to renew an SSL certificate every day at 1am, you could configure the following command within the crontab.
0 1 * * * /path/to/certbot-auto renew --debug
Remember, there are rate limits set by Let’s Encrypt, so don’t run renewals too frequently or have too many certificated per registered domain. To find out more about rate limits, click here.