If you haven't heard of Let's Encrypt, check it out here. In a nutshell, Let's Encrypt allows you to get a free SSL certificate for your personal site from a trusted CA, FOR FREE! <applause here>
The process to install a Let's Encrypt certificate, and keep it renewed couldn't be simpler. I've outlined here below.
- You are running at least Amazon Linux AMI 03.2017
- You are using Apache as your web server. You could use NGINX, but the file locations would be slightly different.
- Apache is currently using self signed certificates for SSL
Installing the SSL Certificates
Install Certbot and get the Certificates
- Log into your EC2 instance as ec2-user via SSH
- Download the certbot application, and make it executable
sudo chmod a+x certbot-auto
- Run the certbot application to get your certificates. This will execute a yum install for any necessary packages including PIP and Python
sudo ./certbot-auto --debug -v --server https://acme-v01.api.letsencrypt.org/directory certonly -d Your_FQDN
- From here, Certbot will ask you several questions including where to validate with certbot (webroot, typically /var/www/html on Amazon Linux), and an administrative email. This will place the certificate, private key, and chainfile onto your system.
- Certificate File : /etc/letsencrypt/live/FQDN/cert.pem
- Private Key : /etc/letsencrypt/live/FQDN/privkey.pem
- Full Chain File : /etc/letsencrypt/live/FQDN/fullchain.pem
Configure Apache to use the new SSL Certificates
- Edit your SSL.conf file
sudo vi /etc/httpd/conf.d/ssl.conf
- Configure SSLCertificateFile to point to /etc/letsencrypt/live/FQDN/cert.pem
- Configure SSLCertificateKeyFile to point to /etc/letsencrypt/live/FQDN/privkey.pem
- Configure SSLCertificateChainFile to point to /etc/letsencrypt/live/FQDN/fullchain.pem
- Restart your HTTPD process
sudo service httpd restart
That's all there is to it. Now you have a fully trusted CA certificate protecting your websites SSL connections. No more untrusted certificate browser errors for your site. The next thing to do, would be to automate the certificate renewal process. You can do that by adding the following line to your root user's crontab
0 6 * * * /home/ec2-user/certbot-auto renew
This will have certbot renew your certificates everyday at 6am.