I decided to give Let's Encrypt a try, but I wanted to manually handle the editing of the Apache SSL/TLS configuration (I don't trust a script to properly do this without making a mess of things). Surprisingly, as of the time of this post, Let's Encrypt does not provide configuration information for Amazon Linux. Using the information here, I was able to cobble together a short list of steps to get everything up and running:
1. Download the newest version of the Certbot Auto script:
cd /home/ec2-user
wget https://dl.eff.org/certbot-auto
2. Change permissions to make the script executable:
2. Change permissions to make the script executable:
chmod 755 certbot-auto
The script checks for the presence of /etc/issue, and looks for the string "Amazon Linux" therein. On my instance, this file was not present. If the script doesn't find the file, you will receive the following error:
Sorry, I don't know how to bootstrap Certbot on your operating system!3. If "/etc/issue" is not present on your instance, create the file, adding the string "Amazon Linux" therein:
You will need to bootstrap, configure virtualenv, and run pip install manually. Please see https://letsencrypt.readthedocs.org/en/latest/contributing.html#prerequisitesfor more info.
sudo echo "Amazon Linux" > /etc/issue
4. Run the script with the following parameters, replacing "13cubed.com" and "www.13cubed.com" with your domain. Note the "certonly" parameter, which instructs the script to NOT modify any configuration files. You can add as many "-d" flags as necessary, but wildcards are not supported:
sudo ./certbot-auto --debug -v --server https://acme-v01.api.letsencrypt.org/directory certonly -d www.13cubed.com -d 13cubed.com
You will likely be prompted to install several packages. In my example, I installed the following:
mpfr-3.1.1-4.14.amzn1.x86_64
libmpc-1.0.1-3.3.amzn1.x86_64
cpp48-4.8.3-9.111.amzn1.x86_64
libsepol-devel-2.1.7-3.12.amzn1.x86_64
libselinux-devel-2.1.10-3.22.amzn1.x86_64
libverto-devel-0.2.5-4.9.amzn1.x86_64
kernel-headers-4.4.41-36.55.amzn1.x86_64
glibc-headers-2.17-106.168.amzn1.x86_64
glibc-devel-2.17-106.168.amzn1.x86_64
libcom_err-devel-1.42.12-4.40.amzn1.x86_64
zlib-devel-1.2.8-7.18.amzn1.x86_64
keyutils-libs-devel-1.5.8-3.12.amzn1.x86_64
krb5-devel-1.13.2-12.40.amzn1.x86_64
libgomp-4.8.3-9.111.amzn1.x86_64
gcc48-4.8.3-9.111.amzn1.x86_64
gcc-4.8.3-3.20.amzn1.noarch
1:openssl-devel-1.0.1k-15.96.amzn1.x86_64
libffi-devel-3.0.13-16.5.amzn1.x86_64
system-rpm-config-9.0.3-42.28.amzn1.noarch
python27-tools-2.7.12-2.120.amzn1.x86_64
augeas-libs-1.0.0-5.7.amzn1.x86_64
The script will then ask how the CA should verify ownership of the domain for which you wish to obtain the certificate. I chose the second option, which involved placing a temporary file within the web root (normally /var/www/html on a default installation).
Once the script has finished, it will have generated the following symlinks within /etc/letsencrypt/live/[DOMAIN NAME]/:
Example:
cert.pem -> ../../archive/www.13cubed.com/cert1.pem
chain.pem -> ../../archive/www.13cubed.com/chain1.pem
fullchain.pem -> ../../archive/www.13cubed.com/fullchain1.pem
privkey.pem -> ../../archive/www.13cubed.com/privkey1.pem
5. Assuming you are using Apache, edit /etc/httpd/conf.d/ssl.conf as follows, changing "www.13cubed.com" to the name of the domain for which you obtained the certificate:
vi /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/letsencrypt/live/www.13cubed.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.13cubed.com/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/www.13cubed.com/chain.pem
6. Restart Apache and verify the certificate installation was successful:
service httpd restart
7. Let's Encrypt certificates expire every 90 days, so you'll need to create a cron job under "root" to periodically check the status. As suggested in the article I referenced above, I would recommend twice per day. The following cron job checks at 1AM and 1PM:
sudo crontab -e
# MIN HOUR DAYOFMONTH MONTH DAYOFWEEK COMMAND
0 1,13 * * * /home/ec2-user/certbot-auto renew
Fin!