How to run certbot and apply free ssl on your website hosted on AWS EC2 Instance (Amazon Linux 2)
If you have set your webserver and are only concerned for running certbot and install a free ssl on your ewbsite hosted on EC2 instance, then I will first provide the process to run certbot in a summary.
A ssl certificate can be installed on a website running on AWS EC2 instance in just a few steps. You must have set a vhost file and your server must be listening on port 80, which is required to run certbot. You must have added the server name and alias in the Vhost file, which is also required since certbot will only provide certificates for the sites listed in the vhost file. So, all you have to do now is to install certbot on the instance and run it.
Prerequisites:
- A Vhost file.
- Server listening on port 80.
- ServerName and ServerAlias in the vhost file include the domain and subdomain for which a certificate is needed.
If yours is a *wordpress/other site running on AWS EC2 instance with Centos 7 (Amazon Linux 2)*, you can first install the Amazon Extras repo for EPEL:
$ sudo amazon-linux-extras install epel -y
and then install certbot and dependencies using:
$ sudo yum install -y certbot python2-certbot-apache
Finally, you can run certbot and follow the instructions it provides:
$ sudo certbot
The system will guide you through rest of the process. There is not much to do just select domain names and provide your email. The commands may differ for the Linux distributions but the same process can also be followed on other distributions.
Now, you can read about the process of applying ssl to your website (wordpress or any other CMS) hosted on AWS EC2 instance in detail.
After installing a webserver (Apache ) and the necessary CMS, the next step to bring your site online on an EC2 instance is to get an ssl certificate for your website. Getting a ssl certificate for your site hosted on an EC2 instance is easy and does not take more than a few steps. (Install Apache Server on EC2 Instance)
(Since, the certbot is mainly concerned with the server and the Vhost file, it does not matter whether you have wordpress or another CMS. The following process applies to Apache server with a Vhost file and running Centos 7).
Moreover, certbot automatically sets the necessary redirects in your Vhost configuration file – http to https and non www to www or vice versa. Before installing the certificate, it will ask you about the kind of redirects you want. If you already have them set in your configuration file, then no problem. One important requirement for running ssl is a vhost file and an Apache web server listening on port 80. When you install and run certbot, it first looks for your vhost file and if the server can listen on port 80. It will also look for the applicable domains and subdomains in the vhost files. So, make sure that you have set the vhost file for your website before running certbot and included the necessary domain and subdomains. If you have not created the vhost file or not inlcuded the ServerAlias in the configuration file, you will face difficulties in both cases.
How to set a Vhost file for your website on Apache server
If you have not created the vhost file including the Port number, ServerName (domain name) and ServerAlias (www version), the certbot will not run. It looks for port 80 in the vhost file first when you run certbot. It cannot apply ssl, if the server is not listening on port 80. If you have included only one version of your website in the vhost file, in that case you will be unable to get the ssl for both versions (www and non-www). So, as a precaution, you must have the vhost file ready for the site you want an ssl for.
Adding a vhost file for your website is easy. For example, if the website is named example.com, you can create a Vhost configuration file specifically for your domain at /etc/httpd/conf.d/example.com.conf
You can use vi or nano for editing the file. You will need to create the file and add the contents.
sudo nano /etc/httpd/conf.d/example.com.conf
Add the following to the file, replacing example.com with your domain name.
<VirtualHost *:80>
ServerAdmin admin@webserver1.com
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/html
ErrorLog logs/error.log
CustomLog logs/access.log combined
</VirtualHost>
Once you have set the vhost file like shown above, you are ready to install ssl on your site hosted on EC2 instance. It can be done in just a few steps.
Installing SSL on AWS EC2 (Apache server with Centos 7)
Step 1: Connect to your EC2 instance and run the following command to install Amazon Extras Repo for EPEL:
sudo amazon-linux-extras install epel -y
Step 2: Install certbot on your Apache web server using the following command:
sudo yum install -y certbot python2-certbot-apache
You will get a completed message at the end when the installation is complete.
Step 3: Run the certbot using the following command:
sudo certbot
It will ask you about the domain names that you want an ssl for. The domain names will include only the ones in your vhost file since the certbot verifies if you are the owner of the domain. If you have example.com and www.example.com in your vhost file, it will give you the options in the following manner:
Which names would you like to activate HTTPS for?
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
1: example.com
2: www.example.com
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 1 2
You can enter 1 2, if you want both or the one for which you want the ssl or if you want it for all the listed domains then just hit enter. It will run some tests and then if it successfully connects on port 80, then it will create a ssl vhost file for your website in the /etc/httpd/conf.d directory and deploy the certificate there. Enter your email when it asks. At the end, you will receive a congratulation message stating your site is active on https.
This is how easily you can get a ssl certificate for your website hosted on AWS EC2 instance. It will also add the necessary redirects for you and ask you before setting the redirects.
The output at each stage when you install a ssl certificate looks like as follows.
[ec2-user@ip-xx-xx-xx-xx ~]$ sudo amazon-linux-extras install epel -y
Installing epel-release
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
Cleaning repos: amzn2-core amzn2extra-docker amzn2extra-epel amzn2extra-kernel-5.10 epel
24 metadata files removed
8 sqlite files removed
0 metadata files removed
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
amzn2-core | 3.7 kB 00:00:00
amzn2extra-docker | 3.0 kB 00:00:00
amzn2extra-epel | 3.0 kB 00:00:00
amzn2extra-kernel-5.10 | 3.0 kB 00:00:00
epel/x86_64/metalink | 19 kB 00:00:00
epel | 4.7 kB 00:00:00
(1/12): amzn2 core/2/x86_64/group_gz | 2.5 kB 00:00:00
(2/12):amzn2core/2/x86_64/updateinfo| 575 kB 00:00:00
(3/12): amzn2extra-epel/2/x86_64/primary_db | 1.8 kB 00:00:00
(4/12): amzn2extra-kernel-5.10/2/x86_64/updateinfo | 24 kB 00:00:00
(5/12): amzn2extra-docker/2/x86_64/primary_db | 101 kB 00:00:00
(6/12): amzn2extra-docker/2/x86_64/updateinfo |8.0 kB 00:00:00
(7/12): epel/x86_64/group_gz | 99 kB 00:00:00
(8/12):epel/x86_64/updateinfo | 1.0 MB 00:00:00
(9/12): amzn2extra-epel/2/x86_64/updateinfo | 76 B 00:00:00
(10/12): epel/x86_64/primary_db | 7.0 MB 00:00:00
(11/12): amzn2extra-kernel-5.10/2/x86_64/primary_db | 15 MB 00:00:00
(12/12): amzn2-core/2/x86_64/primary_db | 69 MB 00:00:01
223 packages excluded due to repository priority protections
Package matching epel-release-7-11.noarch already installed. Checking for update.
Nothing to do
0 ansible2 available\ [ =2.4.2 =2.4.6 =2.8 =stable ]
2 httpd_modules available [ =1.0 =stable ]
3 memcached1.5 available \[ =1.5.1 =1.5.16 =1.5.17 ]
6 postgresql10 available [ =10 =stable ]
9 R3.4 available [ =3.4.3 =stable ]
10 rust1 available \[ =1.22.1 =1.26.0 =1.26.1 =1.27.2 =1.31.0 =1.38.0=stable ]
18 libreoffice available \ [ =5.0.6.2_15 =5.3.6.1 =stable ]
19 gimp available [ =2.8.22 ]
20 docker=latest enabled \[ =17.12.1 =18.03.1 =18.06.1 =18.09.9 =stable ]
21 mate-desktop1.x available \ [ =1.19.0 =1.20.0 =stable ]
22 GraphicsMagick1.3 available \[ =1.3.29 =1.3.32 =1.3.34 =stable ]
23 tomcat8.5 available \[ =8.5.31 =8.5.32 =8.5.38 =8.5.40 =8.5.42 =8.5.50=stable ]
24 epel=latest enabled [ =7.11 =stable ]
25 testing available [ =1.0 =stable ]
26 ecs available [ =stable ]
27 corretto8 available[ =1.8.0_192 =1.8.0_202 =1.8.0_212 =1.8.0_222 =1.8.0_232=1.8.0_242 =stable ]
29 golang1.11 available \ [ =1.11.3 =1.11.11 =1.11.13 =stable ]
30 squid4 available [ =4 =stable ]
32 lustre2.10 available \ [ =2.10.5 =2.10.8 =stable ]
33 java-openjdk11 available [ =11 =stable ]
34 lynis available [ =stable ]
36 BCC available [ =0.x =stable ]
37 mono available [ =5.x =stable ]
38 nginx1 available [ =stable ]
39 ruby2.6 available [ =2.6 =stable ]
40 mock available [ =stable ]
41 postgresql11 available [ =11 =stable ]
43 livepatch available [ =stable ]
44 python3.8 available [ =stable ]
45 haproxy2 available [ =stable ]
46 collectd available [ =stable ]
47 aws-nitro-enclaves-cli available [ =stable ]
48 R4 available [ =stable ]
_ kernel-5.4 available [ =stable ]
50 selinux-ng available [ =stable ]
51 php8.0 available [ =stable ]
52 tomcat9 available [ =stable ]
53 unbound1.13 available [ =stable ]
54 mariadb10.5 available [ =stable ]
55 kernel-5.10=latest enabled [ =stable ]
56 redis6 available [ =stable ]
57 ruby3.0 available [ =stable ]
58 postgresql12 available [ =stable ]
59 postgresql13 available [ =stable ]
60 mock2 available [ =stable ]
61 dnsmasq2.85 available [ =stable ]
62 kernel-5.15 available [ =stable ]
63 postgresql14 available [ =stable ]
64 firefox available [ =stable ]
65 lustre available [ =stable ]
66 php8.1 available [ =stable ]
67 awscli1 available [ =stable ]
[ec2-user@ip-xx-xx-xx-xx ~]$ sudo yum install -y certbot python2-certbot-apache
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
223 packages excluded due to repository priority protections
Package certbot-1.11.0-2.el7.noarch already installed and latest version
Resolving Dependencies
–> Running transaction check
—> Package python2-certbot-apache.noarch 0:1.11.0-1.el7 will be installed
–> Processing Dependency: python-augeas for package: python2-certbot-apache-1.11.0-1.el7.noarch
–> Running transaction check
—> Package python-augeas.noarch 0:0.5.0-2.amzn2 will be installed
–> Processing Dependency: augeas-libs for package: python-augeas-0.5.0-2.amzn2.noarch
–> Running transaction check
—> Package augeas-libs.x86_64 0:1.4.0-9.amzn2 will be installed
–> Finished Dependency Resolution
Dependencies Resolved
=============================================================
Package Arch Version Repository Size
===============================================================
Installing:
python2-certbot-apache noarch 1.11.0-1.el7 epel 139 k
Installing for dependencies:
augeas-libs x86_64 1.4.0-9.amzn2 amzn2-core 351 k
python-augeas noarch 0.5.0-2.amzn2 amzn2-core 25 k
Transaction Summary
============================================================
Install 1 Package (+2 Dependent packages)
Total download size: 515 k
Installed size: 1.7 M
Downloading packages:
(1/3): python2-certbot-apache-1.11.0-1.el7.noarch.rpm | 139 kB 00:00:00
(2/3): augeas-libs-1.4.0-9.amzn2.x86_64.rpm | 351 kB 00:00:00
(3/3): python-augeas-0.5.0-2.amzn2.noarch.rpm | 25 kB 00:00:00
————————–
Total 1.5 MB/s | 515 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : augeas-libs-1.4.0-9.amzn2.x86_64 1/3
Installing : python-augeas-0.5.0-2.amzn2.noarch 2/3
Installing : python2-certbot-apache-1.11.0-1.el7.noarch 3/3
Verifying : augeas-libs-1.4.0-9.amzn2.x86_64 1/3
Verifying : python-augeas-0.5.0-2.amzn2.noarch 2/3
Verifying : python2-certbot-apache-1.11.0-1.el7.noarch 3/3
Installed:
python2-certbot-apache.noarch 0:1.11.0-1.el7
Dependency Installed:
augeas-libs.x86_64 0:1.4.0-9.amzn2
python-augeas.noarch 0:0.5.0-2.amzn2
Complete!
[ec2-user@ip-xx-xx-xx-xx ~]$ sudo certbot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Which names would you like to activate HTTPS for?
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
1: example.com
2: www.example.com
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 1 2
Requesting a certificate for example.com and www.example.com
Performing the following challenges:
http-01 challenge for example.com
http-01 challenge for www.example.com
Waiting for verification…
Cleaning up challenges
Created an SSL vhost at /etc/httpd/conf.d/example.com-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf.d/example.com-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf.d/example.com-le-ssl.conf
Enhancement redirect was already set. (redirect to www was already set in the vhost file)
Enhancement redirect was already set.
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Congratulations! You have successfully enabled https://example.com and
https://www.example.com
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Subscribe to the EFF mailing list (email: ec2-user@gmail.com).
IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your certificate will expire on 2023-xx-xx. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again with the “certonly” option. To non-interactively
renew *all* of your certificates, run “certbot renew”
– Some rewrite rules copied from
/etc/httpd/conf.d/example.com.conf were disabled in the vhost
for your HTTPS site located at
/etc/httpd/conf.d/example.com-le-ssl.conf because they have the
potential to create redirection loops.