LetsEncrypt on Amazon Linux

August 29th, 2016

Setting up self-signed certificates when you don't want to pay extra for an ALB

This one's pretty simple.

I started with Ivo Petkov's excellent notes and O-mkar's question and self-answer to get LetsEncrypt up on my EC2 instance, then added a cron job.

TL;DR:

sudo bash
yum install python27-devel git
git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
unset PYTHON_INSTALL_LAYOUT
/opt/letsencrypt/letsencrypt-auto --debug
echo "rsa-key-size = 4096" >> /etc/letsencrypt/config.ini
echo "email = [email protected]" >> /etc/letsencrypt/config.ini
unset PYTHON_INSTALL_LAYOUT
/opt/letsencrypt/letsencrypt-auto certonly --webroot -w /var/www/yourdomainroot -d yourdomain.com -d www.yourdomain.com --config /etc/letsencrypt/config.ini --agree-tos
yum install mod24_ssl

Add the following to /etc/httpd/conf.d/vhost.conf:

<VirtualHost *:443>
ServerName yourdomain.com
DocumentRoot "/var/www/yourdomainroot"
<Directory "/var/www/yourdomainroot">
        AllowOverride All
</Directory>SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/yourdomain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/yourdomain.com/chain.pem
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
</VirtualHost>

And finally, a renewal cron job:

echo > /opt/letsencrypt/autorenew <<EOF

#!/bin/bash
unset PYTHON_INSTALL_LAYOUT
/opt/letsencrypt/letsencrypt-auto renew --config /etc/letsencrypt/config.ini --agree-tos &amp;&amp; apachectl graceful

EOF
chmod a+x /opt/letsencrypt/autorenew

Then run crontab -e and add the following entry:

0 0 * * * /opt/letsencrypt/autorenew

For bonus marks, since you've probably got HTTP vhost for port 80 something like:

<VirtualHost *:80>
    DocumentRoot "/var/www/yourdomainroot"
    ServerName yourdomain.com
    ServerAlias yourdomain.com

    <Directory "/var/www/yourdomainroot">
    AllowOverride All
    </Directory>
    # Other directives here
</VirtualHost>

Simply add the following into your .htaccess to redirect everybody hitting your formerly insecure site to https:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

aws

https

ssl

certificates

ec2

letsencrypt