Let’s Encrypt for EC2 Apache Server

HTTPS – it has been around for a while now and yet very few websites use it. To make web more secure, in a cost-effective manner for domain owners, Let’s Encrypt was established. It is a free, automated, and open certificate authority (CA) by a non-profit group. You can learn a lot more about them on their website; however, it is kind of hard to use their services if you are using a non-supported OS (in my case AMI Linux provided by AWS).

But with a little bit of trial and error, reading on the net, and time investment – I got it to work. Just putting the steps up here so that anyone can follow it quickly and easily.

 

Prerequisite

 

Getting the Cert

1. SSH to your instance and run the following commands

$ sudo yum update -y
sudo yum install -y mod24_ssl
sudo service httpd restart
sudo yum install git

2. With that done, let’s get the latest repo of letsencrypt

git clone https://github.com/letsencrypt/letsencrypt.git

This should create a folder ~/letsencrypt for you.

3. Run the following command replacing following parameters

  • YOUR_DOMAIN – this is your domain name (example.com)
  • /VAR/WWW/HTML – Apache webroot path
  • YOUR_EMAIL – you will get renewal reminders on this email so make sure this is a valid one

~/letsencrypt/letsencrypt-auto certonly --renew-by-default -d YOUR_DOMAIN --authenticator webroot --webroot-path /VAR/WWW/HTML --email YOUR_EMAIL --agree-tos --debug

4. When you get the success message, look through the first bullet point of IMPORTANT NOTES. Copy the location of certificate file (looks something like – /etc/letsencrypt/live/YOUR_DOMAIN)

5. Edit the Apache SSL file (/etc/httpd/conf.d/ssl.conf) by updating following entries –

  • SSLProtocol all -SSLv2 -SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2
  • SSLProxyProtocol all -SSLv3
  • SSLHonorCipherOrder on
  • SSLCertificateFile /etc/letsencrypt/live/YOUR_DOMAIN/cert.pem
  • SSLCertificateKeyFile /etc/letsencrypt/live/YOUR_DOMAIN/privkey.pem
  • SSLCertificateChainFile /etc/letsencrypt/live/YOUR_DOMAIN/chain.pem

6. Change the Apache config to redirect all HTTP port request to HTTPS port. Add following code to httpd.conf file.

<VirtualHost *:443>
ServerAdmin YOUR_EMAIL
ServerName YOUR_DOMAIN
DocumentRoot "/VAR/WWW/HTML"
ErrorLog "logs/YOUR_DOMAIN-error_log"
CustomLog "logs/YOUR_DOMAIN-access_log" common
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/YOUR_DOMAIN/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/YOUR_DOMAIN/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/YOUR_DOMAIN/chain.pem
</VirtualHost>

Change port 80 code to following
<VirtualHost *:80>
ServerAdmin YOUR_EMAIL
ServerName YOUR_DOMAIN
DocumentRoot /VAR/WWW/HTML
ErrorLog "logs/YOUR_DOMAIN-error_log"
CustomLog "logs/YOUR_DOMAIN-access_log" common
RewriteEngine On
RewriteCond %{HTTPS} != on
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]
</VirtualHost>

7. And restart the Apache one more time.
$ sudo service httpd restart

And you are done! If you followed all the seven steps to the letter, you should have a working SSL certificate from Let’s Encrypt for free. Of course, it costs a ton of money to issue and maintain these certificates – so please donate to them if possible.

Pro tip: Let’s Encrypt certificates expire in 90 days. And for good reason. But it can get cumbersome to update and renew the cert. So make following entry to your crontab to automate the re-certification process.
1 21 * * 6 /home/ec2-user/letsencrypt/letsencrypt-auto renew