If you want to try out the new free SSL certificate using LetsEncrypt for a web site hosted on Bitnami LAMP Stack on Amazon EC2, here is how I did it.
First of all I’m using a very simple apache install on bitnami, so the default bitnami supplied scripts to configure apache2 and mysql and php are all still there in the default location.
I decided to try to do a “webroot” installation of
letsencrypt because I didn’t really understand the alternatives. Turns out that the webroot installation was the best choice for me.
This install option uses the webroot area to create a temporary html file that the installation script can then see externally via a web request – proving that this really is the location of the host name you are asking for.
Multiple Host Names
You can create multiple secure names in one certificate file. I chose to create 2. Both work fine even without any apache vhost configuration active – just the incoming URL from the browser matching the hostname in the certificate is enough to go green in the address bar.
The name of the certificate files created by
letsencrypt is based on the first hostname in the list on the command line.
Here you can see the certificate name for both of the domains I created.
Install Letsencrypt scripts
git clone https://github.com/letsencrypt/letsencrypt cd letsencrypt ./letsencrypt-auto certonly -w /home/bitnami/htdocs -d ses.rosacea-support.org -d sandbox.pascoe.biz
-w is where your webroot is located and the multiple -d flags are for the domains that you want to secure.
The cert files are written to
Update Apache to use the new certificates
sudo vim /home/bitnami/stack/apache2/conf/bitnami/bitnami.conf
Comment out the default SSL Certificate lines so that you are left with the following 3 lines.
SSLCertificateFile "/etc/letsencrypt/live/ses.rosacea-support.org/cert.pem" SSLCertificateKeyFile "/etc/letsencrypt/live/ses.rosacea-support.org/privkey.pem" SSLCertificateChainFile "/etc/letsencrypt/live/ses.rosacea-support.org/fullchain.pem"
Restart the LAMP stack.
sudo /opt/bitnami/ctlscript.sh restart
Now you ought to be able to see a green https padlock !
The certificate needs to be updated every 90 days to remain valid. So keep hold of the command you used to generate the certificates as you will currently have to return every 3 months to refresh the certs. Hence this blog post – I’m keeping my command here ready for a refresh !
I’m assuming that the old certs will be moved aside and the symbolic links in /etc/letsencrypt/live will be updated to automatically use the new refreshed certs. Will wait and see. Might also need to “git pull” updates to letsencrypt before I start in 3 months time too.
[update:] Here is a page on what commands I used to update my letsencrypt certificates – LETSENCRYPT SSL CERTIFICATE RENEWAL COMMAND
[update 2]: letsencrypt-auto has been renamed to certbot.