How To Install Free SSL/TLS Certificates using Let’s Encrypt on Amazon Linux/CentOS/RHEL
Install Let’s Encrypt
Let’s Encrypt is a free, automated, and open certificate authority brought to everyone by the Internet Security Research Group (ISRG).
Setup Let’s Encrypt
First of all, run as root and go to your home directory by command these:
# sudo su
If you don’t got git in Linux, yum install git and clone the repository from GitHub:
Install Git if you haven't it:
# yum install git
Clone the repository from GitHub:
# git clone https://github.com/letsencrypt/letsencrypt
Run Let’s Encrypt
Now you retrieved all the latest scripts from the repository to your server. You can find it under “~/letsencrypt”.
# cd ~/letsencrypt
If you are using Amazon Linux, use it:
# ./letsencrypt-auto --debug
Else if you are using Centos/RHEL, use it:
You will probably get the notice “No installers are available on your OS yet; try running “letsencrypt-auto certonly” to get a cert you can install manually” if you run the installer that couldn’t configure everything automatically.
If you worked with above installer, you don’t have to do the steps below manually.
# ./letsencrypt-auto certonly --webroot -w WEBROOT_PATH -d DOMAIN_NAME --renew-by-default --agree-tos
That’s it. You have retrieved the required SSL certificate and key for your domain. All we have to do is set it up in Apache.
Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/DOMAIN_NAME/fullchain.pem. Your cert will expire on 2016–03–10. To obtain a new version of the certificate in the future, simply run Let’s Encrypt again.
Don’t forget have to install the Apache SSL module. Install mod_ssl using yum package manager. All the dependencies will automatically be installed.
# yum install mod24_ssl
Then edit file /etc/httpd/conf.d/httpd.conf. Add the following after <VirtualHost *:80>
Allow from all
Require all granted
After updating Apache configuration file, restart Apache service to reload new settings.
# service httpd restart
Run Let’s Encrypt by crontab
Your SSL cert will expire within 3 months. Obviously you may run the above commands every 3 months, however engineers are the most lazy species on this planet. You may create a script and a cron job to run it.
# vim sslgenerate.sh
Add following scripts into the file sslgenerate.sh:
./letsencrypt-auto certonly --webroot -w WEBROOT_PATH -d DOMAIN_NAME --renew-by-default --agree-tos
service httpd restart
Finally add a cron job including the following content, all in one line:
# crontab -e
# 30 2 * * 1 vim ~/sslgenerate.sh
For other servers, please take a look on https://letsencrypt.readthedocs.org/en/latest/using.html.