Installing a Let’s Encrypt SSL Certificate on an AWS AMI Instance

Let’s Encrypt is one of the most popular methods of installing an SSL certificate for free. It is well known that SSL certificates gain customer trust, as well as improving a website’s ranking in the search engines. Installing a Let’s Encrypt SSL certificate on an AWS AMI Instance requires a few commands to be run on the instance.

It is assumed that you have a website already configured on the instance and installed the relevant components as mentioned in the configuring a PHP website on AWS post.

To start with, ensure that you have installed Apache’s mod_ssl module on the instance. This can be done by running the following command.

$ sudo yum install mod24_ssl

To install a Let’s Encrypt SSL certificate using the Certbot client, firstly the client must be downloaded. The client can be installed using the following commands.

$ wget
$ chmod a+x certbot-auto

This will download a certbot-auto file onto your instance.

To begin installing a Let’s Encrypt SSL, run the following command.

$ sudo /path/to/certbot-auto --debug

Some further packages will be installed, and you will be prompted to enter an email address for any urgent renewal and security notices.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 'c' to

Continue following the steps provided in the setup process, and you’ll eventually reach the step where you’ll be asked to enter the number of the domains to activate HTTPS for.

Which names would you like to activate HTTPS for?
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 

At this point, the DNS A/AAAA record(s) for the domains must contain the correct IP address of the server on which the SSL certificate is being installed. Otherwise, an error will be thrown.

After choosing the domain(s), Certbot will attempt to look within the .well-known directory.

If for some reason Certbot is unable to view the directory, a similar error to the below may appear when running through the installation process.

 The client lacks sufficient authorization :: Invalid response from

Assuming no error currently exists, continue on and you will be prompted on whether a redirect from HTTP to HTTPS should be put in place.

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

Choose you option and the SSL certificate should be installed! You’ll note that Certbot creates a file within the /etc/httpd/conf.d directory that contains the vhosts configuration for HTTPS.

Let’s Encrypt certificates last 90 days, and therefore needs to be renewed from time to time.

You can configure automatic renewals on the instance’s crontab. For example, to renew an SSL certificate every day at 1am, you could configure the following command within the crontab.

0 1 * * * /path/to/certbot-auto renew --debug 

Remember, there are rate limits set by Let’s Encrypt, so don’t run renewals too frequently or have too many certificated per registered domain. To find out more about rate limits, click here.