Installing LetsEncrypt’s free SSL on Amazon Linux

Getting a free SSL certificate for your site is now easier than ever. On AWS, certificates are free and easy for any load-balanced environment you create. But what if you aren’t running a load-balanced site? If you followed my earlier guide The Ultimate Guide to WordPress on AWS EC2 then this tutorial is for you.

In this article, I’m assuming you’re running Apache on an Amazon Linux EC2 instance. We’ll install a free SSL certificate from Let’s Encrypt and configure it to automatically renew.

Part 1: Install SSL Certificates

Before beginning. Be sure to disable any caching plugins you have installed.

  1. SSH into your server.
  2. Download certbot (the Let’s Encrypt client need to install & renew certs)
    $ wget https://dl.eff.org/certbot-auto
    $ chmod a+x certbot-auto
  3. Run certbot to fetch your certificates…
    $ sudo ./certbot-auto --debug -v --server https://acme-v01.api.letsencrypt.org/directory certonly -d YOUR_WEBSITE_HERE

  4. This will launch a visual wizard. You’ll need to enter an admin email, and then point it at your web root (the directory your website is actually hosted out of). On Amazon Linux, this is likely /var/www/html, especially if you’ve followed my tutorials. Once finished with the wizard, you’ll have valid SSL certificates. Now we just need to add them to Apache!
  5. certbot will place your certs in the following paths…
    • Certificate: /etc/letsencrypt/live/YOUR_WEBSITE_HERE/cert.pem
    • Full Chain: /etc/letsencrypt/live/YOUR_WEBSITE_HERE/fullchain.pem
    • Private Key: /etc/letsencrypt/live/YOUR_WEBSITE_HERE/privkey.pem
  6. Edit your SSL config…
    $ sudo nano /etc/httpd/conf.d/ssl.conf

    1. Set SSLCertificateFile to your Certificate path (see #5 above).
    2. Set SSLCertificateKeyFile to your Private Key path (see #5 above).
    3. Set SSLCertificateChainFile to your Full Chain path (see #5 above).
  7. Restart apache
    $ sudo service httpd restart

At this point, you can test that your domain works on https. If you’re having problems with WordPress (like redirect loops), you may need to add the following to your wp-config.php file…

<br />
define('WP_HOME','https://YOUR_WEBSITE_HERE');<br />
define('WP_SITEURL','https://YOUR_WEBSITE_HERE');<br />
define('FORCE_SSL_ADMIN', true);</p>
<p>if (strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false) {<br />
$_SERVER['HTTPS'] = 'on';<br />
}<br />

Part 2: Setup SSL Auto-renew

All Let’s Encrypt certificates are only good for 90 days, so it’s best to configure the certificates to automatically renew. To achieve this, we just need to set up a simple cron job…

  1. Switch to the sudo user…
    $ sudo -i
  2. Edit crontab (a listing of all the account’s cron jobs)
    $ crontab -e

  3. VIM: Press the i key to enter “interactive” mode, which allows you to type and edit the file.
  4. Add the following line to run the renewal twice per day (at 1am and 1pm, respectively):
    0 1,13 * * * /home/ec2-user/certbot-auto renew
  5. VIM: Press the esc key to exit interactive mode.
  6. VIM: Type :wq to write the file and then quit vim.

And that is all there is! Now, your free SSL certificates will automatically renew without you ever having to lift a finger again.

Comments

Matt
Reply

Comments are back! Curse you, Cookies for Comments plugin!

Michael
Reply

Thank you for this clear, concise instruction on how to set up Lets Encrypt on Amazon Linux. You saved me a lot of trouble!

Reply

Thanks Matt,
This is really saved my time. I have followed this blog article and successfully able to install SSL with letencyrpt but after configuring my website still not showing the green button.Is there anything I need to change.

Thanks!

rajesh Naveen
Reply

hey naveen, did you restart server. try to open website in incognito mode.

rajesh
Reply

Thanks for this. I land on this page every time i want to install a certificate.

Reply

Followed all steps but when I visit the site through https I just get this message:
This site can’t be reached

I can visit it with http although.

jhjeong
Reply

thank u very much.

Joel
Reply

I think wildcard support is available now if you specify the ACMEv2 server? Any tips on how to do that? Thank you so much for this guide, it’s allowed me to do so much in no time at all.

–server https://acme-v02.api.letsencrypt.org/directory

Arturo
Reply

Thank you! You saved me! Very clear tutorial.

Leave a Comment

You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>