Using LetsEncrypt on Amazon Linux
For a number of years now I’ve been using LetsEncrypt to provide free SSL certificates for the APEX applications I provide. These certificates last for 90 days and are renewed automatically by a simple script on my server.
Each LetsEncrypt certificate can cover multiple subdomains. They don’t currently support wildcard domains (e.g.
*.example.com) but they are planning to add this next year (2018).
To install LetsEncrypt I ran the following on my Amazon Linux instance (note – this is my web server, not my database server):
cd /opt git clone http://github.com/letsencrypt/letsencrypt cd letsencrypt ./letsencrypt-auto -v --debug
(when prompted at the last step I typed “c” to cancel the subsequent steps)
It wasn’t easy at first because I got a number of errors which I’d google (or search the community forum) and eventually find reasonable answers. I’ve had to reinstall a number of times, as the OS is patched regularly and certbot is updated from time to time.
I use Apache to provide about a dozen virtual hosts and therefore the automated installation option didn’t work for me. Instead, I’ve got lines like these in each VirtualHost:
<VirtualHost *:443> ServerName subdomain.mydomain.com ServerAlias subdomain.mydomain.com SSLEngine on SSLCertificateFile "/etc/letsencrypt/live/mydomain.com/cert.pem" SSLCertificateKeyFile "/etc/letsencrypt/live/mydomain.com/privkey.pem" SSLCertificateChainFile "/etc/letsencrypt/live/mydomain.com/chain.pem" ... </VirtualHost>
To register a certificate I used the following command as root (all one line):
/opt/letsencrypt/letsencrypt-auto certonly --webroot -w /var/www/html -d mydomain.com,www.mydomain.com,sub1.mydomain.com,sub2.mydomain.com
This generates all the keys and certificates and stores them locally. No private keys ever leave the server. This command is using SAN to combine multiple subdomains in one certificate. I run this command again separately for each domain.
To renew all my certificates I run the following command as root:
/opt/letsencrypt/letsencrypt-auto renew -n --no-self-upgrade service httpd restart
This will automatically skip any certificates that are not yet due to expire. I’ve put the above script in a file which is run by cron on a monthly basis.
0 20 1 * * /path-to-script/renewall.sh
To get usage info on the options:
Since it’s free, one cannot expect support from LetsEncrypt directly if there are issues; however, there is an active LetsEncrypt support community which can be helpful at times.
But it’s certainly made a big difference to my bottom line, and provided a bit of peace-of-mind to my users.