Blog Post

How to set up free SSL certificates with Let’s Encrypt and Apache

The folks at Let’s Encrypt decided to create a certificate authority that issues completely free SSL certificates. Let’s Encrypt provides free, automatically-renewing SSL certificates that allow you to enable HTTPS connections to your website or web application. Sound too good to be true? It’s (almost) not! The only downside to using Let’s Encrypt is that the certificates expire every 90 days; however, it is incredibly easy to set your sever to auto-renew the certificate before it expires.

In this tutorial, we’ll show you how to install and configure Let’s Encrypt certificates on your Amazon Linux server. Scroll down for step-by-step instructions.

For Amazon Linux running Apache

1. Install Certbot

First things first, let’s make sure you’ve got Apache’s SSL support module installed:

sudo yum install -y mod24_ssl

Now, we want to install Certbot, which is a open-source app that is supported by Let’s Encrypt. Certbot makes generating and installing the cert a breeze. To download the Certbot repoository:

wget https://dl.eff.org/certbot-auto

Let’s make certbot-auto executable

chmod a+x certbot-auto

2. Use Certbot to request the SSL certificate

Now that Certbot is installed, let’s use it to request our SSL certificate:

sudo ./certbot-auto --debug

You’ll be asked to confirm the download, so type Y and then press enter.

Make sure you accept the terms by typing A and pressing enter.

Next you’ll be prompted to enter you email address, which is used for alerts and renewal reminders. Type your email address and then press enter.

Then, you’ll be asked to choose which domain names to use for your SSL certificate. You’ll see something like this:

-----------------------------------------------------------
1. yourdomain.com
2. www.yourdomain.com
-----------------------------------------------------------

You want to include both, so respond to the prompt by just pressing enter, which selects all domains. If there are many domains available, choose the ones you want by typing 1, 2, for example, and then press enter.

Your SSL certificate will be generated and installed, and your Apache server will be automatically configured.

3. Enable HTTP redirection

After the cert is installed, Certbot will ask you if you want to force HTTP to redirect to HTTPS. In most cases, you’ll want to do this, so type 2 and press enter. If you don’t want to force the redirect, you would choose option 1.

That’s it…your SSL cert is enabled, and you should be able to access your site over HTTPS!

4. Configure your server to automatically renew the certificate

If you run the command below, you’ll see all of your certs and their expiration dates:

sudo ./certbot-auto certificates

Of course, you don’t want to manually update the certificate before it expires, so we can use the crontab to trigger Certbot automatically renew the certificate. Here’s how; use the following command to launch the crontab:

crontab -e

Now, add the following row to the table:

0 12 * * 6 sudo /home/ec2-user/certbot-auto renew

To save the crontab, type :wq and then press enter.

Success! You’re all set!

For Amazon Linux 2 running Apache

1. Configure the Server

First, we need to install mod_ssl to enable SSL support:

sudo yum install -y mod_ssl

Now, we need to reboot the server, so run reboot command. Your SSH connection will be interrupted, so once the server reboots itself, you’ll need to SSH back in.

Once you’re back in, restart the webserver:

sudo systemctl restart httpd

We also need to install the EPEL 7 repository, which will give us access to Certbot:

sudo wget -r --no-parent -A 'epel-release-*.rpm' http://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/

Now install the package:

sudo rpm -Uvh dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-*.rpm

And enable EPEL:

sudo yum-config-manager --enable epel*

Also, make sure you’ve defined your domain/server name in either /etc/httpd/conf/httpd.conf or a virtual host configuration. It would look something like this:

<VirtualHost *:80>
DocumentRoot "/var/www/html"
ServerName "example.com"
ServerAlias "www.example.com"
</VirtualHost>

If you need to add the ServerName and ServerAlias, then be sure to restart Apache with:

sudo systemctl restart httpd

2. Install Certbot

To install Certbot:

sudo yum install -y certbot python2-certbot-apache

Make sure you accept the terms by typing A and pressing enter.

Next you’ll be prompted to enter you email address, which is used for alerts and renewal reminders. Type your email address and then press enter.

Then, you’ll be asked to choose which domain names to use for your SSL certificate. You’ll see something like this:

-----------------------------------------------------------
1. yourdomain.com
2. www.yourdomain.com
-----------------------------------------------------------

You want to include both, so respond to the prompt by just pressing enter, which selects all domains. If there are many domains available, choose the ones you want by typing 1, 2, for example, and then press enter.

Your SSL certificate will be generated and installed, and your Apache server will be automatically configured.

3. Enable HTTP redirection

After the cert is installed, Certbot will ask you if you want to force HTTP to redirect to HTTPS. In most cases, you’ll want to do this, so type 2 and press enter. If you don’t want to force the redirect, you would choose option 1.

That’s it…your SSL cert is enabled, and you should be able to access your site over HTTPS!

4. Configure your server to automatically renew the certificate

To set your server to automatically renew the certificate before it expires, first open your crontab:

sudo nano /etc/crontab

Paste the following line in the crontab:

39      1,13    *       *       *       root    certbot renew --no-self-upgrade

Then, restart the cron daemon:

sudo systemctl restart crond

That’s it…you’re good to go!

Related Posts

Write a Comment