Using Let's Encrypt on AWS EC2 Instance
Reishi Mitani
Posted on October 5, 2020
Objectives
- Create a SSL certificate on your EC2 instance.
- We will not consider using php, maria-db on this EC instance (unlike in the documentation).
Documentations
Tutorial: Configure SSL/TLS on Amazon Linux 2
However, some of the instructions here in the documentation were outdated.
Prerequisites
- Already launched an EC2 instance (in case of this situation, Amazon Linux 2)
- The EC2 security groups have ports 80, 443, and 22 open (http, https, and ssh respectively).
- Already have a domain created on Route 53 or somewhere else.
Procedures
Install apache on your EC2 machine
Tutorial: Install a LAMP web server on Amazon Linux 2
$ sudo yum update -y
$ sudo yum install -y httpd
$ sudo systemctl start httpd
$ sudo systemctl enable httpd
$ sudo systemctl is-enabled httpd
Create a localhost.crt
$ sudo yum install -y mod_ssl
$ cd /etc/pki/tls/certs
$ sudo ./make-dummy-cert localhost.crt
Do not comment out the SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
, although it says so in the documentation. Otherwise, you will get an error when running apache (reason unknown).
I actually do not know whether this localhost.crt is even necessary.
Install and run certbot
$ sudo wget -r --no-parent -A 'epel-release-*.rpm' http://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/
$ sudo rpm -Uvh dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-*.rpm
$ sudo yum-config-manager --enable epel*
Add the following lines in your /etc/httpd/conf/httpd.conf
and after Listen 80
, insert the following.
<VirtualHost *:80>
DocumentRoot "/var/www/html"
ServerName "example.com"
ServerAlias "www.example.com"
</VirtualHost>
Restart apache, install certbot, and run it.
$ sudo systemctl restart httpd
$ sudo yum install -y certbot python2-certbot-apache
$ sudo certbot
Agree to the terms.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A
Choose the domain names you want to activate.
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: example.com
2: www.example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
After this, answer to a couple of questions, and you should be done!
Congratulations! You have successfully enabled https://example.com and
https://www.example.com
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=example.com
https://www.ssllabs.com/ssltest/analyze.html?d=www.example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/certbot.oneeyedman.net/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/certbot.oneeyedman.net/privkey.pem
Your cert will expire on 2019-08-01. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
You can see your certificates, private key, and chain at /etc/letsencrypt/live/certbot.oneeyedman.net
. You can import these into your Amazon Certificate Manager, and use it for your Elastic Load Balancers.
P.S.
- There are other ways to install certbot apart from
sudo yum install
, such ascurl
. I followed the AWS docs on this one. - But in case of using
curl
, you will have to configure the settings so that it matches the requirements of Amazon Linux 2.
Posted on October 5, 2020
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.
Related
November 30, 2024