Lets Encrypt Logo

(Seriously free SSL certificates this time)

So I’ve written in the past about the push for HTTPS Everywhere and how Amazon was helping to tackle that goal (over here).  Last year, Amazon added their Certificate Manager.  It’s a really great tool and goes a long way towards reducing some of the pain points of SSL certificates, specifically management.  Never again will the IT team be scrambling to replace a customer facing SSL certificate that has expired.  Instead, Amazon takes care of it all, which is great.

Now, because Amazon is managing the certificate, they also have to manage the device it’s running on.  Traditionally, that meant placing the certificate on something like an Elastic Load Balancer.  While great, there are cases when you don’t want or need to worry about an additional tool in the chain.  For example, it seems pretty ridiculous to have a load balancer sitting in front of a single development EC2 instance.  However, that instance probably still needs an SSL certificate.

That’s where Let’s Encrypt comes in!  It is a totally free, totally automated, and open Certificate Authority run by the Internet Security Research Group.  The goal of the project is to continue the push for HTTPS Everywhere, and it does a great job.  Let’s see how to get it up on running on your Amazon Linux EC2 instance.

Step 0. This should be obvious, but make sure that you have SSL setup on your instance.  Amazon has a great doc located here, if need help setting up Apache.  You’ll also need a DNS record for the domain pointing at the public IP of this instance.

Step 1. We need to download the binary that we’ll be using to start, and then automate, the process.  I’ve rolled it altogether to save some steps:

curl -O https://dl.eff.org/certbot-auto && chmod +x certbot-auto && sudo mv certbot-auto /usr/local/bin/certbot-auto

Step 2. Now run the certbot to start the process of generating your SSL certificates.  The command is as follows (note that I’ve added both www and non-www.  You can add as many domains as you’d like, as long as you can prove ownership):

sudo /usr/local/bin/certbot-auto --debug -v --server https://acme-v01.api.letsencrypt.org/directory certonly -d stegsolutions.com -d www.stegsolutions.com

Step 3. This launches the certbot wizard.  If this is your first time running it, it will ask for your email address.  This will be used for notification purposes only.  The next question will ask how you want to verify that you actually control the domain names that you’re requesting certificates for.  For the sake of this post, we’re using Apache, so select the first option.  It will now do some wizardry and at the end, you’ll have a brand new, and free, SSL certificate located in the /etc/letsencrypt/live/ directory, like this:

  • /etc/letsencrypt/live/stegsolutions.com/cert.pem
  • /etc/letsencrypt/live/stegsolutions.com/privkey.pem
  • /etc/letsencrypt/live/stegsolutions.com/fullchain.pem

Step 4. All that’s left to do is add these to your SSL config using the following command:

sudo nano /etc/httpd/conf.d/ssl.conf
  • Set SSLCertificateFile to /etc/letsencrypt/live/stegsolutions.com/cert.pem
  • Set SSLCertificateKeyFile to /etc/letsencrypt/live/stegsolutions.com/privkey.pem
  • Set SSLCertificateChainFile to /etc/letsencrypt/live/stegsolutions.com/fullchain.pem

Step 5. Restart apache and test your new SSL certificate.

sudo service httpd restart

You should now be the proud owner of a brand new SSL certificate.  Run some tests to ensure everything is working correctly.  During your tests, you might notice that the certificate is only good for ninety days.  Luckily, certbot has the ability to automatically renew the certificate for you without any intervention using a simple cron job.  Once everything is working properly, fire up crontab.

sudo crontab -e

Then add a line to ask certbot to attempt to renew your certificates once a day.

30 2 * * * /usr/local/bin/certbot-auto renew --debug

Now your certificates will be automatically updated when needed, and you’ll hopefully never have to worry about them again.


Error note:  I recently ran into this error during a client install

/usr/local/bin/certbot-auto: line 664: virtualenv: command not found

The resolution for me was to symlink virtualenv with the following command:

sudo ln -s /usr/local/bin/virtualenv /usr/bin/virtualenv

This post originally appeared on stegsolutions.com. Need help with your virtualization project? Let us help. Contact zac@stegsolutions.com for more information.