Let's Encrypt SSL on Linux 2023 - Amazon AWS

Let’s Encrypt SSL on Linux 2023 – Amazon AWS

Configure Let’s Encrypt SSL on Linux 2023 – Amazon AWS

One will likely experiment with installation of Let’s Encrypt certificates. It is tricky and fristrating, so I won’t give a reliable configuration.
Points to consider:
If you create /etc/letsencrypt/…. -001 type files, these are from repeat attempts to install. They can be deleted safely.
Start your website in http:// mode only with an ssl.conf file that does not call any certificates. The ssl.conf file should still have all the other entries as required.
Once certbot installs the certificates, add these sorts of lines to the bottom of the ssl.conf file just before the ending where you see . Then restart httpd – systemctl restart httpd. You may need to do problem solving. The ssl.conf file may not have any Certificates uncommented when installing.

You then run the installation command in –dry-run mode, and when good to go, install it. Then edit /etc/httpd/conf.d/ssl.conf to include the following lines for a primary domain:

ServerAlias mydomain.com
ServerAlias www.mydomain.com

# Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/mydomain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem

If you installed a multidomain instance, You would go to the VirtualHost section for that subdomain. (See my article on subdomains and multidomains in Amazon apache and Route 53.) And likewise, do something like this:

ServerAlias app.mydomain.com
ServerAlias www.app.mydomain.com

# Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/app.mydomain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/app.mydomain.com/privkey.pem

If you have subdomains, you cannot use the webroot installation method. Rather, use the DNS method for the primary domain:

(Remember to use –dry-run before the actual install command shown here.)

certbot certonly --manual --preferred-challenges dns -d mydomain.com -d www.mydomain.com

A single domain name can use this:

/usr/bin/certbot -v certonly -d mydomain.com -d www.mydomain.com –webroot -w /var/www/html

You can play around with how to expand a certificate to include www. if you missed it, but I use .htaccess to redirect http:// to https:// anyway.

To renew the certificate, I do a crontab script every night, as the httpd services needs to restart after a new install. (Another reason, plut the above complications, as to why a paid certificate is easier.)

A single domain can use this script:

[use your own domain name]

cd /home/ec2-user

vi certbot.sh

#!/bin/bash
d=`date`
c1=`head -1 /home/ec2-user/certbot.dat`
let c1=$c1+1
if [ "$c1" = "65" ] ;
then
echo "0" > /home/ec2-user/certbot.dat
echo "Certbot Renewal" $d >> /home/ec2-user/info.log
sudo /usr/bin/certbot -v renew --cert-name mydomain.com --webroot -w /var/www/html
sudo /usr/bin/systemctl restart httpd >/dev/null 2>&1
sudo /usr/bin/openssl x509 -noout -dates -in /etc/letsencrypt/live/mydomain.com/cert.pem >> /home/ec2-user/info.log
else
echo "Certbot day $c1 of 65" >> /home/ec2-user/info.log
echo $c1 > /home/ec2-user/certbot.dat
fi
exit

[save and exit]

chown root certbot.sh
chgrp ec2-user certbot.sh
chmod 775 certbot.sh

vi certbot.dat

0

[save and exit - one line only with day "0" in the line as shown above]

[Add this line by using crontab -e when you know the above lines will each run manually without problems. I use day 65 as day 60 is on the minimal edge for renewal and sometimes does not work.]

crontab -e

15 1 * * * /home/ec2-user/certbot.sh

[save and exit]

If using subdomains, you need a different script:

cd /home/ec2-user
vi certbot.sh

#!/bin/bash
d=`date`
c1=`head -1 /home/ec2-user/certbot.dat`
let c1=$c1+1
if [ "$c1" = "65" ] ;
then
echo "0" > /home/ec2-user/certbot.dat
echo "Certbot Renewal" $d >> /home/ec2-user/info.log
sudo /usr/bin/certbot -v renew --webroot -w /var/www/html >/dev/null 2>&1
sudo /usr/bin/systemctl restart httpd >/dev/null 2>&1
sudo /usr/bin/openssl x509 -noout -dates -in /etc/letsencrypt/live/mydomain.au/cert.pem >> /home/ec2-user/info.log
else
echo "Certbot day $c1 of 65" >> /home/ec2-user/info.log
echo $c1 > /home/ec2-user/certbot.dat
fi

d=`date`
c1=`head -1 /home/ec2-user/certbot_app.dat`
let c1=$c1+1
if [ "$c1" = "65" ] ;
then
echo "0" > /home/ec2-user/certbot.dat
echo "Certbot Renewal" $d >> /home/ec2-user/info.log
sudo /usr/bin/certbot -v certonly -d app.mydomain.au --webroot -w /var/www/app >/dev/null 2>&1
sudo /usr/bin/systemctl restart httpd >/dev/null 2>&1
sudo /usr/bin/openssl x509 -noout -dates -in /etc/letsencrypt/live/app.mydomain.au/cert.pem >> /home/ec2-user/info.log
else
echo "Certbot day $c1 of 65" >> /home/ec2-user/info.log
echo $c1 > /home/ec2-user/certbot_app.dat
fi

exit

[save and exit]

Notice in this shell script, the use of the /var/www/app directory for our subdomain called app.mydomain.com, and how it uses “certonly” while the primary domain uses “renew”.

Review Let’s Encrypt’s website and certbot documentation to become more familiar with it. I don’t use the –apache method.

If you are having severe problems, check the config files under /etc/letsencrypt have not become mixed up, as they would need editing.

Some examples of what the files should look like:

[check your own file names]
[For a multidomain, subdomain system:]

cd /etc/letsencrypt/renewal
ls
cat mydomain.conf
# renew_before_expiry = 30 days
version = 2.7.4
archive_dir = /etc/letsencrypt/archive/mydomain.com
cert = /etc/letsencrypt/live/mydomain.com/cert.pem
privkey = /etc/letsencrypt/live/mydomain.com/privkey.pem
chain = /etc/letsencrypt/live/mydomain.com/chain.pem
fullchain = /etc/letsencrypt/live/mydomain.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 0000000000000000 [--> YOUR OWN ACCOUNT from Let's Encrypt]
authenticator = webroot
webroot_path = /var/www/html,
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa
[[webroot_map]]
mydomain.com = /var/www/html
www.mydomain.com = /var/www/html

[Check the subdomain file. Note how this file became conflicted with the apache option having been used, so it is commented out manually.]

cat app.mydomain.conf
# renew_before_expiry = 30 days
version = 2.7.4
archive_dir = /etc/letsencrypt/archive/app.mydomain.com
cert = /etc/letsencrypt/live/app.mydomain.com/cert.pem
privkey = /etc/letsencrypt/live/app.mydomain.com/privkey.pem
chain = /etc/letsencrypt/live/app.mydomain.com/chain.pem
fullchain = /etc/letsencrypt/live/app.mydomain.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 000000000000000000     [--> user your own account number]
authenticator = webroot
webroot_path = /var/www/app,
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa
[[webroot_map]]
app.mydomain.com = /var/www/app
www.app.mydomain.com = /var/www/app

# authenticator = apache
# server = https://acme-v02.api.letsencrypt.org/directory
# key_type = ecdsa
# installer = apache

Now let’s look at a single domain:

cd /etc/letsencrypt/renewal
cat mydomain.com.conf
# renew_before_expiry = 30 days
version = 2.4.0
archive_dir = /etc/letsencrypt/archive/mydomain.com
cert = /etc/letsencrypt/live/mydomain.com/cert.pem
privkey = /etc/letsencrypt/live/mydomain.com/privkey.pem
chain = /etc/letsencrypt/live/mydomain.com/chain.pem
fullchain = /etc/letsencrypt/live/mydomain.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 000000000000000000000000. [ --> Whatever your own account number is]
authenticator = webroot
webroot_path = /var/www/html,
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa
[[webroot_map]]
mydomain.com = /var/www/html
www.mydomain.com = /var/www/html

Let’s Encrypt SSL on Linux 2023 – Amazon AWS