LetsEncrypt On Amazon Linux + Apache

Get your Letsencrypt SSL certificate working on your AWS EC2 Amazon Linux 1 Apache instance in just a few minutes with this detailed step-by-step how-to guide.

Summary

(April 18, 2019) Note: this how-to article is deprecated. The instructions that follow are for Amazon Linux I which itself was deprecated December 13, 2017. If you’ve tried these instructions and received errors then please refer to these updated instructions for Amazon Linux 2.

Adding TLS/SSL encryption over HTTPS is free and easy with Letsencrypt. The Certbot web site provides detailed instructions for the most popular combinations of Linux and Web Server, but oddly, they do not provide exact instructions for the Amazon Linux AMI, and as it turns out, there are a couple of details that took me several hours to trouble shoot initially. Hopefully this article will help you get https working on your Amazon Linux EC2 quickly an easily.

Assumptions

Note that this installation strategy only touches the Apache web server layer. If you’re interested you can read more in the Official Apache Documentation for SSL  to see first-hand what the certbot-auto installation program is doing.  A LAMP-based web application like WordPress is illustrative of the effectiveness of this SSL certificate installation strategy in that we (usually) won’t need to do much at the application layer in order to get web traffic flowing over HTTPS.

Implementation

In this how-to article we’re going to install a SSL certificate and reroute all traffic to HTTPS for a fictitious site named ssl.lawrencemcdaniel.com that currently looks like the following

Summarizing the installation and configuration process, we’re going to install a utility app named certbot-auto that we will execute from the command line of your EC2 instance in order to request a new SSL certificate for our domain. We’ll use cdertbot-auto to request the certificate, and then afterwards, to make adjustments to our Apache web server configuration so that all inbound HTTP requests are automatically forwarded to HTTPS. Ok, let’s get started!

1. Install Certbot

certbot is a free open-source utlitity app that is sponsored by the letsencrypt.org consortium. Detailed installation instructions are available here. Certbot is not currently available thru yum repositories, we’ll therefore download the repository manually using wget as follows:

#change to our home directory
cd

# This is important! Certbot assumes that you've already installed Apache's SSL support module.
# If you skip this step then you'll get errors later on when certbot attempts to add
# your new certification to your virtual host configuration.
sudo yum install -y mod24_ssl

# Download the repository. This is the official download center for 
# Electronic Frontier Foundation (https://www.eff.org/) the official
# Certbot project sponsor. 
wget https://dl.eff.org/certbot-auto

#make certbot-auto executable
chmod a+x certbot-auto

2. Execute certbot-auto

Now we’re ready to execute certbot-auto to request our SSL certificate.

# Note: the --debug flag is required (and misleading)
# This flag prompts certbot-auto to install the lengthy list
# of prerequisites on which certbot-auto depends.
sudo ./certbot-auto --debug

Executing certbot-auto is a multi-step Q&A process. You’ll be asked around six questions. Refer to the following screen shots for my responses:

Certbot-auto registers an email address where they’ll send renewal reminders and alerts.

These last two screens — to the right, and below — contains the important questions. Certbot-auto compiles a list of the virtual server sites that it finds in your Apache configuration and present these are an enumerated list. You can select more than one site by separating the numbers with commas.

3. Enable HTTP Redirection

Answer ‘Yes’ to this question so that certbot-auto automatically reconfigures your Apache server so that HTTP traffic automatically redirects to HTTPS.

And voilà! We’re running our WordPress site over HTTPS.

4. Setup Automatic SSL Certificate Renewal

Be aware that SSL certificates expire. You can run the following command to view the expiration dates of all certificates issued to your server

sudo ./certbot-auto certificates

certbot SSL certificates are usually issued for only 90 days, at which point they must be renewed or they’ll become invalid and you site will break. We’ll setup a cron job to automatically run certbot-auto’s certificate renewal program once per week. You can read more about the certbot-auto “renew” command in the Certbot Instructions

crontab -e

Then add this row to your cron table

0 12 * * 6 sudo /home/ec2-user/certbot-auto renew


And now you’re set! Your site is running over HTTPS and certbot-auto will automatically renew your SSL certificate for you on an as-needed basis.

By |2019-04-16T17:42:11-06:00January 10th, 2018|Categories: AWS, Dev Ops, Wordpress|10 Comments

About the Author:

Lawrence is a full stack developer specializing in the Open edX platform, Django, Angular, Ionic, Wordpress and Amazon Web Services. He lives in Puerto Escondido, Oaxaca, Mexico.

10 Comments

  1. Adam Kendall April 10, 2019 at 5:19 pm - Reply

    Hi there!

    Thanks for putting this tutorial together.

    I ran into an issue when executing the certbot-auto script. It crashes when creating the virtual environment, saying something about some python files not found.

    Searching around google, I found a post on the certbot github below mentioning that python 2.6 support for Centos 6 will be removed in the “next” release (this was posted March 2018):
    https://github.com/certbot/certbot/issues/5642

    But I’m seeing warnings everywhere saying upgrading Centos 6 python to 2.7 can break yum.

    Just curious, has anyone confirmed that this tutorial still works for Amazon Linux 1 as of April 2019?

    • Adam Kendall April 10, 2019 at 5:26 pm - Reply

      Here’s the output from certbot-auto:

      Creating virtual environment…
      Traceback (most recent call last):
      File “”, line 27, in
      File “”, line 19, in create_venv
      File “/usr/lib64/python2.7/subprocess.py”, line 185, in check_call
      retcode = call(*popenargs, **kwargs)
      File “/usr/lib64/python2.7/subprocess.py”, line 172, in call
      return Popen(*popenargs, **kwargs).wait()
      File “/usr/lib64/python2.7/subprocess.py”, line 394, in __init__
      errread, errwrite)
      File “/usr/lib64/python2.7/subprocess.py”, line 1047, in _execute_child
      raise child_exception
      OSError: [Errno 2] No such file or directory

  2. Robert Givens March 19, 2019 at 12:43 pm - Reply

    Thanks! This worked perfectly, except that I got stuck editing the crontab in vi. I’m more familiar with nano. Here’s how to open the cron tab with nano: export VISUAL=nano; crontab -e

  3. aniq August 30, 2018 at 10:22 am - Reply

    is there a way to remove the certbot-auto in my root ? im using aws ec2 and there is too many of certbot-auto files.

    • admin August 30, 2018 at 10:35 am - Reply

      hi Aniq, i’m surprised that you see more than one file of the form, “certbot-auto” in your home folder. i would expect for you to only see the one executable file. you can move the files to a subdirectory located anywhere on the server you like. you’ll only need to update your path information the in cron job.

  4. Oli June 13, 2018 at 6:04 pm - Reply

    Thanks for this! I read various tutorials and this one was the most correct and worked perfectly for me. Only addition I’d make would be to explain to people how to save on vi at the end (or use Nano).

Leave A Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.