Installing LetsEncrypt’s free SSL on Amazon Linux

Getting a free SSL certificate for your site is now easier than ever. On AWS, certificates are free and easy for any load-balanced environment you create. But what if you aren’t running a load-balanced site? If you followed my earlier guide The Ultimate Guide to WordPress on AWS EC2 then this tutorial is for you.

In this article, I’m assuming you’re running Apache on an Amazon Linux EC2 instance. We’ll install a free SSL certificate from Let’s Encrypt and configure it to automatically renew.

Part 1: Install SSL Certificates

Before beginning. Be sure to disable any caching plugins you have installed.

  1. SSH into your server.
  2. Download certbot (the Let’s Encrypt client need to install & renew certs)
    $ wget
    $ chmod a+x certbot-auto
  3. Run certbot to fetch your certificates…
    $ sudo ./certbot-auto --debug -v --server certonly -d YOUR_WEBSITE_HERE

  4. This will launch a visual wizard. You’ll need to enter an admin email, and then point it at your web root (the directory your website is actually hosted out of). On Amazon Linux, this is likely /var/www/html, especially if you’ve followed my tutorials. Once finished with the wizard, you’ll have valid SSL certificates. Now we just need to add them to Apache!
  5. certbot will place your certs in the following paths…
    • Certificate: /etc/letsencrypt/live/YOUR_WEBSITE_HERE/cert.pem
    • Full Chain: /etc/letsencrypt/live/YOUR_WEBSITE_HERE/fullchain.pem
    • Private Key: /etc/letsencrypt/live/YOUR_WEBSITE_HERE/privkey.pem
  6. Edit your SSL config…
    $ sudo nano /etc/httpd/conf.d/ssl.conf

    1. Set SSLCertificateFile to your Certificate path (see #5 above).
    2. Set SSLCertificateKeyFile to your Private Key path (see #5 above).
    3. Set SSLCertificateChainFile to your Full Chain path (see #5 above).
  7. Restart apache
    $ sudo service httpd restart

At this point, you can test that your domain works on https. If you’re having problems with WordPress (like redirect loops), you may need to add the following to your wp-config.php file…

define('FORCE_SSL_ADMIN', true);

if (strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false) {
$_SERVER['HTTPS'] = 'on';

Part 2: Setup SSL Auto-renew

All Let’s Encrypt certificates are only good for 90 days, so it’s best to configure the certificates to automatically renew. To achieve this, we just need to set up a simple cron job…

  1. Switch to the sudo user…
    $ sudo -i
  2. Edit crontab (a listing of all the account’s cron jobs)
    $ crontab -e

  3. VIM: Press the i key to enter “interactive” mode, which allows you to type and edit the file.
  4. Add the following line to run the renewal twice per day (at 1am and 1pm, respectively):
    0 1,13 * * * /home/ec2-user/certbot-auto renew
  5. VIM: Press the esc key to exit interactive mode.
  6. VIM: Type :wq to write the file and then quit vim.

And that is all there is! Now, your free SSL certificates will automatically renew without you ever having to lift a finger again.



Comments are back! Curse you, Cookies for Comments plugin!

Leave a Comment

You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>