aws

Using Let's Encrypt on AWS EC2 Instance

greenteabiscuit

Reishi Mitani

Posted on October 5, 2020

Using Let's Encrypt on AWS EC2 Instance

Objectives

  • Create a SSL certificate on your EC2 instance.
  • We will not consider using php, maria-db on this EC instance (unlike in the documentation).

Documentations

Tutorial: Configure SSL/TLS on Amazon Linux 2

However, some of the instructions here in the documentation were outdated.

Prerequisites

  • Already launched an EC2 instance (in case of this situation, Amazon Linux 2)
  • The EC2 security groups have ports 80, 443, and 22 open (http, https, and ssh respectively).
  • Already have a domain created on Route 53 or somewhere else.

Procedures

Install apache on your EC2 machine

Tutorial: Install a LAMP web server on Amazon Linux 2

$ sudo yum update -y
$ sudo yum install -y httpd
$ sudo systemctl start httpd
$ sudo systemctl enable httpd
$ sudo systemctl is-enabled httpd
Enter fullscreen mode Exit fullscreen mode

Create a localhost.crt

$ sudo yum install -y mod_ssl
$ cd /etc/pki/tls/certs
$ sudo ./make-dummy-cert localhost.crt
Enter fullscreen mode Exit fullscreen mode

Do not comment out the SSLCertificateKeyFile /etc/pki/tls/private/localhost.key, although it says so in the documentation. Otherwise, you will get an error when running apache (reason unknown).

I actually do not know whether this localhost.crt is even necessary.

Install and run certbot

$ sudo wget -r --no-parent -A 'epel-release-*.rpm' http://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/
$ sudo rpm -Uvh dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-*.rpm
$ sudo yum-config-manager --enable epel*
Enter fullscreen mode Exit fullscreen mode

Add the following lines in your /etc/httpd/conf/httpd.conf and after Listen 80, insert the following.

<VirtualHost *:80>
    DocumentRoot "/var/www/html"
    ServerName "example.com"
    ServerAlias "www.example.com"
</VirtualHost>
Enter fullscreen mode Exit fullscreen mode

Restart apache, install certbot, and run it.

$ sudo systemctl restart httpd
$ sudo yum install -y certbot python2-certbot-apache
$ sudo certbot
Enter fullscreen mode Exit fullscreen mode

Agree to the terms.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A
Enter fullscreen mode Exit fullscreen mode

Choose the domain names you want to activate.

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: example.com
2: www.example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Enter fullscreen mode Exit fullscreen mode

After this, answer to a couple of questions, and you should be done!

Congratulations! You have successfully enabled https://example.com and
https://www.example.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=example.com
https://www.ssllabs.com/ssltest/analyze.html?d=www.example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/certbot.oneeyedman.net/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/certbot.oneeyedman.net/privkey.pem
   Your cert will expire on 2019-08-01. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
Enter fullscreen mode Exit fullscreen mode

You can see your certificates, private key, and chain at /etc/letsencrypt/live/certbot.oneeyedman.net. You can import these into your Amazon Certificate Manager, and use it for your Elastic Load Balancers.

P.S.

  • There are other ways to install certbot apart from sudo yum install, such as curl. I followed the AWS docs on this one.
  • But in case of using curl, you will have to configure the settings so that it matches the requirements of Amazon Linux 2.
💖 💪 🙅 🚩
greenteabiscuit
Reishi Mitani

Posted on October 5, 2020

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related