Free SSL – Setup LetsEncrypt on AWS EC2 using Certbot
LetsEncrypt is a free open certificate authority — basically enable HTTPS for your website name for FREE. It’s pretty awesome and super easy to setup. However there are some downsides to using LE:
- Certificates are valid for 90 days only
- They do not offer wildcard certificates.
Prerequisite:
- SSH access and root privilege to your web server.
- Amazon Linux AMI (RHEL 6, v1) instance but installation should work with any Linux distribution.
- You’ve already setup DNS for your domain name (i.e. A Record, NameServer, etc).
The commands
1. SSH into your Amazon instance
2. Download and install Certbot in your home directory: (e.g ~/home/ec2)
1 2 |
wget https://dl.eff.org/certbot-auto chmod a+x certbot-auto |
3. Run certbot to fetch your certificates
1 |
sudo ./certbot-auto --debug -v --server https://acme-v01.api.letsencrypt.org/directory certonly -d YOUR_WEBSITE_HERE |
4. Follow the prompts and enter the information requested (webroot located at /var/www/html).
5. Edit your SSL config
1 |
sudo nano /etc/httpd/conf.d/ssl.conf |
And set:
- Set
SSLCertificateFile
to your Certificate path [/etc/letsencrypt/live/YOUR_WEBSITE_HERE/cert.pem
] - Set
SSLCertificateKeyFile
to your Private Key path [/etc/letsencrypt/live/YOUR_WEBSITE_HERE/cert.pem]
- Set
SSLCertificateChainFile
to your Full Chain path [/etc/letsencrypt/live/YOUR_WEBSITE_HERE/privkey.pem]
6. Update your Apache’s Virtual Host (vhost). On Amazon Linux, this is likely at /etc/httpd/conf.d/vhost.conf
1 2 3 4 5 6 7 8 9 10 11 |
<VirtualHost *:443> ServerName yourdomain.com DocumentRoot "/var/www/yourdomainroot" SSLEngine on SSLCertificateFile /etc/letsencrypt/live/yourdomain.net/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain.net/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/yourdomain.net/chain.pem SSLProtocol All -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS" </VirtualHost> |
7. Restart apache
1 |
sudo service httpd restart |
FAQ: Cert renew issues:
Error “couldn’t get currently installed version for /opt/eff.org/certbot/venv/bin/letsencrypt” error
Solution:
1 2 3 |
sudo rm -rf /root/.local/share/letsencrypt/ sudo rm -rf /opt/eff.org/certbot/ |
Then rerun certbot-auto in user mode (ec2-user).
1 |
./certbot-auto renew -v --debug |
Error: ImportError: No module named cryptography.hazmat.bindings.openssl.binding
Solution:
1 |
/opt/eff.org/certbot/venv/local/bin/pip install cryptography interface |
Error: Running Amazon Linux AMI and encounter traceback error when trying to renew:
1 2 3 4 |
Traceback (most recent call last): File "/usr/bin/certbot", line 7, in <module> from certbot.main import main ... |
Solution:
1 2 3 4 5 |
sudo rm -rf /opt/eff.org/* sudo yum -y install python36 python36-pip python36-libs python36-tools python36-virtualenv sudo /usr/bin/pip-3.6 install -U certbot sudo /usr/bin/pip-3.6 install certbot-apache sudo /usr/local/bin/certbot renew --debug |