In this article I will be going to show, how you can Install Letsencrypt SSL Cert on AWS EC2 Ubuntu Instance. I am assuming you already have some domains or subdomains may be running. Also you have a webserver installed apache or nginx. Please follow the step by step approach to install lets encrypt tls/ssl certificate on an ubuntu AWS EC2 instance.
STEP 1: Install Certbot tool and Dependencies
Login to your AWS EC2 instance with ubuntu user. I am assuming you already knows how to connect to AWS EC2 instance through putty, if not please refer this link to know how to login to EC2 instance.
Escalate to root user and use below commands to add letsencrypt cert repository, install the certificate tool and dependencies.
$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
If you have apache webserver then install certbot for apache using below command:
$ sudo apt-get install python-certbot-apache
If you have nginx webserver then install certbot for nginx using below command:
$ sudo apt-get install python-certbot-nginx
STEP 2: Generate Certificate for domain or domains
You can generate certificate for one or multiple domains through a single command. After running the command certbot client will automatically obtain cert or certs as per list provided in command. The first domain in list is base domain and then you can keep subdomains or aliases.
sudo certbot --apache -d webnlinux.com -d www.webnlinux.com
sudo certbot --nginx -d webnlinux.com -d www.webnlinux.com
The generated certificate files and private key will get stored under /etc/letsencrypt/live. There will be directories created for domains under /etc/letsencrypt/live directory. The changes related to apache, nginx configuration for domains will get automatically added in respective domain configurations under /etc/nginx/sites-available or /etc/apache2/sites-available directory. Running above commands will add up respective rules for ssl as well in the configuration files.
Step 3 — Verifying Certbot Auto-Renewal
Let’s Encrypt certificates are valid only for 90 days. But, the certbot package that is installed takes care of renewing twice a day through systemd timer. On non-systemd distributions you can set the renewal through cron script placed in /etc/cron.d. This task runs twice per day and will renew certificates that are to be expired within 30 days.
To test the certificate renewal process, you can use below command to dry run with certbot:
sudo certbot renew --dry-run
If you receive no errors, you’re all done. In the renewal process, Certbot will renew your certificates and reload Apache to keep up the changes. If this process fails, then Let’s Encrypt will trigger an email to the address you specified, with a message when your certificate is about to expire.
Incase you get some error in cert validation or http01 challenge, please looks into your dns entries for ipv4 and ipv6 records, are they pointing to same server or not. Also if your ipv6 and ipv are responding on port 80 and 443 or not.