How To Install Free SSL/TLS Certificates using Let’s Encrypt on Amazon Linux/CentOS/RHEL

Don’t pay for SSL certs anymore. Just use Let’s Encrypt!!!

Install Let’s Encrypt

Let’s Encrypt is a free, automated, and open certificate authority brought to everyone by the Internet Security Research Group (ISRG).

Setup Let’s Encrypt

First of all, run as root and go to your home directory by command these:

# sudo su
# cd

If you don’t got git in Linux, yum install git and clone the repository from GitHub:

Install Git if you haven't it:
# yum install git
Clone the repository from GitHub:
# git clone https://github.com/letsencrypt/letsencrypt

Run Let’s Encrypt

Now you retrieved all the latest scripts from the repository to your server. You can find it under “~/letsencrypt”.

# cd ~/letsencrypt
If you are using Amazon Linux, use it:
# ./letsencrypt-auto --debug
Else if you are using Centos/RHEL, use it:
# ./letsencrypt-auto

You will probably get the notice “No installers are available on your OS yet; try running “letsencrypt-auto certonly” to get a cert you can install manually” if you run the installer that couldn’t configure everything automatically.

If you worked with above installer, you don’t have to do the steps below manually.

# ./letsencrypt-auto certonly --webroot -w WEBROOT_PATH -d DOMAIN_NAME --renew-by-default --agree-tos

That’s it. You have retrieved the required SSL certificate and key for your domain. All we have to do is set it up in Apache.

Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/DOMAIN_NAME/fullchain.pem. Your cert will expire on 2016–03–10. To obtain a new version of the certificate in the future, simply run Let’s Encrypt again.

Setup Apache

Don’t forget have to install the Apache SSL module. Install mod_ssl using yum package manager. All the dependencies will automatically be installed.

# yum install mod24_ssl

Then edit file /etc/httpd/conf.d/httpd.conf. Add the following after <VirtualHost *:80>

<VirtualHost *:443>
ServerName DOMAIN_NAME
DocumentRoot WEBROOT_PATH
  SSLEngine on
  SSLCertificateFile /etc/letsencrypt/live/DOMAIN_NAME/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/DOMAIN_NAME/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/DOMAIN_NAME/chain.pem
SSLCACertificateFile /etc/letsencrypt/live/DOMAIN_NAME/fullchain.pem
  <Directory WEBROOT_PATH>
AllowOverride All
Order allow,deny
Allow from all
Require all granted
</Directory>
</VirtualHost>

After updating Apache configuration file, restart Apache service to reload new settings.

# service httpd restart

Run Let’s Encrypt by crontab

Your SSL cert will expire within 3 months. Obviously you may run the above commands every 3 months, however engineers are the most lazy species on this planet. You may create a script and a cron job to run it.

# vim sslgenerate.sh

Add following scripts into the file sslgenerate.sh:

cd ~/letsencrypt
./letsencrypt-auto certonly --webroot -w WEBROOT_PATH -d DOMAIN_NAME --renew-by-default --agree-tos
service httpd restart

Finally add a cron job including the following content, all in one line:

# crontab -e
# 30 2 * * 1 vim ~/sslgenerate.sh

For other servers, please take a look on https://letsencrypt.readthedocs.org/en/latest/using.html.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.