Getting a free SSL certificate for your site is now easier than ever with Let’s Encrypt. On AWS, certificates are free for any load-balanced environment you create. If you aren’t running a load-balanced site, then just follow along in this article.
These steps are applicable to instances with Apache on Amazon Linux. We’re going to install a SSL certificate, set it to auto re-new, and then set an auto redirect of all traffic to HTTPS.
First, why are we doing this?
SSL, or Secure Sockets Layer, is the standard security technology for establishing an encrypted link between a web server and a browser; it ensures that all data passed between the web server and browsers remain private and integral. It authenticates that the client is talking to the actual server and not some imposter.
Not only that, but having that https URL will assist you in ranking higher in search results, which of course is also nice.
Why don’t all sites have an SSL certificate? It can be expensive to purchase and renew, but that doesn’t have to be the case anymore thanks to Let’s Encrypt.
Alright, let’s do this.
Preparation
Make sure you’ve turned on port 443 to your instance.
Log into your AWS panel, go to Security Groups and find HTTPS and port 443
Setup Apache to use SSL/TLS: Reference
Check to see if Apache is started with: $ sudo service httpd status
If necessary, start Apache: $ sudo service httpd start
Ensure that all of your software packages are up to date: $ sudo yum update -y
Now that your instance is current, add SSL/TLS support by installing the Apache module mod_ssl: $ sudo yum install -y mod24_ssl
Then restart Apache: $ sudo service httpd restart
Install SSL Certificates
SSH into your server
Download certbot (the Let’s Encrypt client needed to install & renew certs):
$ wget https://dl.eff.org/certbot-auto
$ chmod a+x certbot-auto
Run certbot: $ sudo ./certbot-auto --debug -v --server https://acme-v01.api.letsencrypt.org/directory certonly -d www.yoursite.domain
You can validate multiple domains (or subdomains) by adding as many -d YOUR_SITE_HERE flags as you need.
This will launch a visual wizard, enter an admin email, and then point it at your web root (the directory your index.html is located). On AWS with Linux, most likely /var/www/html
unless you followed my previous article on deploying a complete web-app as the entire instance, then it would where the ROOT directory is. Once finished with the wizard, you’ll have valid SSL certificates. Now we just need to add them to Apache.
certbot will place your certs in the following paths:
Certificate: /etc/letsencrypt/live/YOUR_WEBSITE_HERE/cert.pem
Private Key: /etc/letsencrypt/live/YOUR_WEBSITE_HERE/privkey.pem
Full Chain: /etc/letsencrypt/live/YOUR_WEBSITE_HERE/fullchain.pem
Edit your SSL config: $ sudo nano /etc/httpd/conf.d/ssl.conf
– Set the SSLCertificateFile to your Certificate path (see above).
– Set the SSLCertificateKeyFile to your Private Key path (see above).
– Set the SSLCertificateChainFile to your Full Chain path (see above).
Save and Exit.
Restart apache: $ sudo service httpd restart
At this point, you can test that your domain works on https.
Setup SSL Auto-renew
Let’s Encrypt certificates require renewal every 90 days, so it’s best to configure automatic renewal. So we just need to set up a simple cron job.
Switch to the sudo user: $ sudo -i
Edit crontab, this a listing of all the account’s cron jobs: $ crontab -e
(Crontab uses the vim edit by default, not nano.)
Press the i key to enter “interactive” mode, which allows you to type and edit the file.
Add the following line to run the renewal twice per day (at 1am and 1pm, respectively):
0 1,13 * * * /home/ec2-user/certbot-auto renew
Press the esc key to exit interactive mode.
Type :wq
to write the file and then quit vim.
Now, your SSL certificates will automatically renew without you ever having to think about it again.
Conveniently, Let’s Encrypt will send an email to whatever admin email address you provided during the wizard process as a warning if somehow your cron job did not successfully renew.
Exit out of sudo user: exit
.
Setup auto redirect to HTTPS
Now that you’ve got HTTPS working, we should make it the default redirect when someone enters your URL.
Edit your website VirtualHost in the Apache configuration file and add the following settings.
First locate the .conf
file (something like /etc/httpd/conf/): $ sudo find / -name httpd.conf
Go to the root directory of that file: $ sudo nano httpd.conf
Add the following all the way at the bottom of the file:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
All done!
How satisfying is it to get an auto-renewing SSL for free?
Questions, comments and feedback always welcomed, especially if you have any update methods and advice!
Top comments (4)
If only GitHub Pages supported SSL on custom domains. That's the only thing holding me back from SSL on my personal site.
You can!
blog.cloudflare.com/secure-and-fas...
jonathan-petitcolas.com/2017/01/13...
I've got a custom domain (personal site) backed by GH pages, and it's got SSL.
Enjoy!
Ah yes I had thought about that in the past, but it always seemed like a bit of a hack to me. But seeing that post from CloudFlare itself makes it seem a bit more legit! I think I'll go for it, thanks!
Hi Evan, you could try GitLab Pages
Otherwise, AWS EC2 on a t2.micro is free for a period and then pretty minimal after that.