Using free LetsEncrypt https SSL on Bitnami LAMP on EC2

Screenshot 2016-01-13 06.53.04

If you want to try out the new free SSL certificate using LetsEncrypt for a web site hosted on Bitnami LAMP Stack on Amazon EC2, here is how I did it.

First of all I’m using a very simple apache install on bitnami, so the default bitnami supplied scripts to configure apache2 and mysql and php are all still there in the default location.

Webroot installation

I decided to try to do a “webroot” installation of letsencrypt because I didn’t really understand the alternatives. Turns out that the webroot installation was the best choice for me.

This install option uses the webroot area to create a temporary html file that the installation script can then see externally via a web request – proving that this really is the location of the host name you are asking for.

Multiple Host Names

You can create multiple secure names in one certificate file. I chose to create 2. Both work fine even without any apache vhost configuration active – just the incoming URL from the browser matching the hostname in the certificate is enough to go green in the address bar.

The name of the certificate files created by letsencrypt is based on the first hostname in the list  on the command line.

Here you can see the certificate name for both of the domains I created.

Screenshot 2016-01-13 06.55.29

 

Installation

Install Letsencrypt scripts

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto certonly -w /home/bitnami/htdocs -d ses.rosacea-support.org -d sandbox.pascoe.biz

-w is where your webroot is located and the multiple -d flags are for the domains that you want to secure.

The cert files are written to /etc/letsencypt/live

Update Apache to use the new certificates

sudo vim /home/bitnami/stack/apache2/conf/bitnami/bitnami.conf

Comment out the default SSL Certificate lines so that you are left with the following 3 lines.

SSLCertificateFile "/etc/letsencrypt/live/ses.rosacea-support.org/cert.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/ses.rosacea-support.org/privkey.pem"
SSLCertificateChainFile "/etc/letsencrypt/live/ses.rosacea-support.org/fullchain.pem"

Restart the LAMP stack.

sudo /opt/bitnami/ctlscript.sh restart

Voila!

Now you ought to be able to see a green https padlock !

Keep Updating.

The certificate needs to be updated every 90 days to remain valid. So keep hold of the command you used to generate the certificates as you will currently have to return every 3 months to refresh the certs. Hence this blog post – I’m keeping my command here ready for a refresh !

I’m assuming that the old certs will be moved aside and the symbolic links in /etc/letsencrypt/live will be updated to automatically use the new refreshed certs. Will wait and see. Might also need to “git pull” updates to letsencrypt before I start in 3 months time too.

[update:] Here is a page on what commands I used to update my letsencrypt certificates – LETSENCRYPT SSL CERTIFICATE RENEWAL COMMAND

More info on LetsEncrypt – https://letsencrypt.org/

 

 

Advertisements
Using free LetsEncrypt https SSL on Bitnami LAMP on EC2

7 thoughts on “Using free LetsEncrypt https SSL on Bitnami LAMP on EC2

  1. Hi Davo
    I have followed your instructions but for some reason I don’t have the green padlock showing.
    What’s the best way to troubleshoot and find the issue?
    Thanks

    1. Not sure I can give a quick answer that is helpful. Check the apache error log, try introducing a spelling error in the config file and make sure you are getting an error in the error log to prove you are editing the correct configuration file.

  2. Using your suggestion I have found that the error_log file was returning the following:
    server certificate does NOT include an ID which matches the server name
    I then thought a bit harder and realised that https won’t show up by itself, as I am not forcing it yet.
    So when I put https:// in front of my domain name everything worked as expected.
    Thanks for your help

  3. THANK YOU!! I can’t believe it was so simple. I’ve been pulling my hair out for days trying 3 different sets of instructions – all much more convoluted than yours. Yours worked flawlessly! Thank you SO much!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s