Using Let’s Encrypt is so easy, there’s no excuse not to do it…the only drawback is that certificates expire after three months, but they’ll email to give you a heads-up when it gets close to time to switch ‘em up…and it really is simple (and free!) to get them issued.
Here’s a run-through of how to use Certbot to install a Let’s Encrypt SSL certificate on an Amazon Linux image:
-
SSH into your web server.
-
Download certbot:
wget https://dl.eff.org/certbot-auto -
Make certbot-auto executable:
chmod 700 certbot-auto -
Run certbot (use --debug if you’re using the Amazon AMI) with the --apache flag.
sudo ./certbot-auto --debug --apache -
When prompted to install dependencies, type
y. -
When prompted provide an email address for renewal, enter your email address.
-
Read and agree to the Terms of Service and type A and press Enter if you agree.
-
If willing to share your email address with EFF, type it in and press Enter.
-
Certbot will search your configuration file for virtual hosts that contain ServerName directives. This may be broken for Apache 2.4 on CentOS, because it does not find the /etc/httpd/conf/httpd.conf file or the ServerName directives you’ve added there. This is probably just as well as Certbot doesn’t support multiple VirtualHosts and you don’t want a script mucking about in your carefully-crafted httpd.conf anyway; you can move the info from ssl.conf into your httpd.conf later if you like.
-
If Certbot doesn’t find your config files and domain names successfully, you’ll be prompted to type in your names. Type in your domain name (if multiple, separate with a space or comma) and press Enter.
No names were found in your configuration files. Please enter in your domain name(s)(comma and/or space separated) (Enter 'c' to cancel): **yourdomain.com** -
Certbot will perform a challenge to ensure you are running it from the domain; this will fail if your web server isn’t running and/or web ports aren’t open. You can either enable them quickly enough for the challenge to succeed, or just cancel and rerun once you’ve opened them.
Obtaining a new certificate Performing the following challenges: tls-sni-01 challenge for yourdomain.com -
In my case, Certbot wasn’t able to find my virtual host entry (enhancement request for Certbot: Let us enter our configuration directory! :), so it gave me the option to put the configuration in ssl.conf (/etc/httpd/conf.d/conf). Type 1 to assent and press Enter.
We were unable to find a vhost with a ServerName or Address of yourdomain.com. Which virtual host would you like to choose? (note: conf files with multiple vhosts are not yet supported) --------------------------------------------------------------------------- 1: ssl.conf | | HTTPS | Enabled --------------------------------------------------------------------------- Press 1 [enter] to confirm the selection (press 'c' to cancel): 1 -
Certbot then generates the server’s private and public key pair, generates a certificate signing request, sends it over to Let’s Encrypt, and returns the certificate.
Waiting for verification... Cleaning up challenges Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem -
If we’re running the same version I am, you’ll get asked again where to put your configuration info, type 1 to choose ssl.conf and press Enter.
We were unable to find a vhost with a ServerName or Address of yourdomain.com. Which virtual host would you like to choose? (note: conf files with multiple vhosts are not yet supported) --------------------------------------------------------------------------- 1: ssl.conf | | HTTPS | Enabled --------------------------------------------------------------------------- Press 1 [enter] to confirm the selection (press 'c' to cancel): 1 -
Certbot will copy the keys and update ssl.conf with a configured default VirtualHost container that specifies SSL options and certificate location.
Deploying Certificate for 7minuteserver.com to VirtualHost /etc/httpd/conf.d/ssl.conf -
You’ll be prompted to choose whether HTTPS access is optional (1) or required (2) — depending on what you choose here, Certbot will configure the VirtualHosts in ssl.conf accordingly (in my case, I’m already redirecting port 80 traffic to 443, but chose 2 anyway; didn’t seem to break anything).
Please choose whether HTTPS access is required or optional. ------------------------------------------------------------- 1: Easy - Allow both HTTP and HTTPS access to these sites 2: Secure - Make all requests redirect to secure HTTPS access ------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 -
You’re all done! Open your site in a browser using
https://mydomain/and check your certificate. Then, you can check your configuration at https://www.ssllabs.com/ssltest/analyze.html. Make a few more tweaks and you may find your goofy blog gets a better grade than your bank… 0_o