Setting up Let's Encrypt on AMIMOTO AMI

On the latest version of our AMI, you can quickly install and setup Let's Encrypt.

 

Premises

  • You have registered domain name to set.
  • You have configured DNS records to the domain.
  • You can access your site e.g. http://example.com
  • You have completed WordPress installation.

 

Things to do 

  1. Install Let's Encrypt.
  2. Install SSL digital certification to domain.
  3. Configuring SSL digital certification.
  4. Setting up auto  digital certification renewal script (optional)

 

Let's install Let's Encrypt.

Access server thorough SSH; then install Let's Encrypt.

Note: the following command make high server load for t2.micro or t2small instance and server responses timed out. We recommend stop monit, Nginx, PHP-FPM and MySQL, before running commands.

# service monit stop; service nginx stop; service php-fpm stop; service mysql
Stopping some programs
# service nginx start; service php-fpm start; service mysql start; service monit Starting/restarting some stopped programs 

Command

bash $ ssh -i ssh-key.pem ec2-user@example.com

Last login: Fri Nov 25 15:49:25 2016 from

[ec2-user@ip-172-31-9-204 ~]$
[ec2-user@ip-172-31-9-204 ~]$ sudo su -

Last login: Sun Jan 1 00:00:0 JST 2016 on pts/0

[root@ip-172-31-9-204 ~]# 
[root@ip-172-31-9-204 ~]# service monit stop; service nginx stop; service php-fpm stop; service mysql stop
[root@ip-172-31-9-204 ~]# chef-solo -o amimoto::letsencrypt -c /opt/local/solo.rb -j /opt/local/amimoto.json -l error
[root@ip-172-31-9-204 ~]# service nginx start; service php-fpm start; service mysql start; service monit start

You have completed Let's Encrypt installation.
Next is Install SSL digital certification to domain.

 

Install SSL digital certification to domain

In case of example.com

Note 1:
Enter email address (used for urgent notices and lost key recovery) : You can input any email address, such as Gmail, office360, or any other, but make sure your email address is correct.

Note 2:
Hit [A] key then [Enter]/[Return] key on prompt (A)gree/(C)ancel

Command

[root@ip-172-31-9-204 ~]# letsencrypt certonly -t -d example.com \
 -a webroot --webroot-path=/var/www/vhosts/example.com/ \
 --rsa-key-size 2048 \
 --server https://acme-v01.api.letsencrypt.org/directory
Enter email address (used for urgent notices and lost key recovery) (Enter 'c'
to cancel): info+letsencrypt@example.com ※

-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/example.com/fullchain.pem. Your cert
   will expire on 2016-11-02. To obtain a new or tweaked version of
   this certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"
 - If you lose your account credentials, you can recover through
   e-mails sent to info+letsencrypt@example.com.
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
   

 

Configuring SSL digital certification

You have finished installation of Let's Encrypt and SSL digital certification. Let's configure server settings in /etc/nginx/conf.d/domain-name-ssl.conf.

Firstly, copy and rename current configuration file. domain-name.conf to domain-name-ssl.conf, then edit it.

In case of example.com

Command

[root@ip-172-31-9-204 ~]# cd /etc/nginx/conf.d
[root@ip-172-31-9-204 /etc/nginx/conf.d]# cp example.com.conf example.com-ssl.conf
[root@ip-172-31-9-204 /etc/nginx/conf.d]# vi example.com-ssl.conf

server {
    listen      443 ssl http2;
    server_name example.com;
    root        /var/www/vhosts/example.com;
    index       index.html index.htm;
    charset     utf-8;

    ssl on;
    ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers AESGCM:HIGH:!aNULL:!MD5;
    ssl_session_cache   shared:SSL:10m;
    ssl_session_timeout 5m;

    access_log  /var/log/nginx/example.com-ssl.access.log  main;
    error_log   /var/log/nginx/example.com-ssl.error.log;

Pushing Shift key and Z key twice to save changes ([Shift]+[Z][Z]).
Then restart nginx applying changes.

Command

[root@ip-172-31-9-204 /etc/nginx/conf.d]# service monit stop && service nginx restart
[root@ip-172-31-9-204 /etc/nginx/conf.d]# service monit start

Additionally, if your WordPress is active and you want to force HTTPS access, you should some changes on /etc/nginx/conf.d/example.com.conf.

Command

server {
	listen      80;
	server_name example.com;
	root        /var/www/vhosts/example.com;
	index       index.html index.htm;
	charset     utf-8;
	return 301 https://example.com$request_uri;

Pushing Shift key and Z key twice to save changes ([Shift]+[Z][Z]).
Then restart nginx applying changes.

[root@ip-172-31-9-204 /etc/nginx/conf.d]# service monit stop && service nginx restart
[root@ip-172-31-9-204 /etc/nginx/conf.d]# service monit start

 

Setting up auto  digital certification renewal script (optional)

Let's Encrypt will expire its certification in 90 days. It's good idea to set check and renewal script

※ Example of run letsencrypt renew every monday 1:00 AM

Command

[root@ip-172-31-9-204 /etc/nginx/conf.d]# crontab -e

# Renewing Lets Encrypt certificate
0 1 * * 1 /opt/letsencrypt/bin/letsencrypt renew && /sbin/service nginx restart > /dev/null 2>&1

Pushing Shift key and Z key twice to save changes ([Shift]+[Z][Z]).
That's all!.

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk