Setting up Let's Encrypt on AMIMOTO AMI

On the latest version of our AMI, you can quickly install, and setup Let's Encrypt.

 

Premises

  • You have registered the domain name to set.
  • You have configured DNS records to the domain.
  • You can access your site with your browser. e.g. http://example.com
  • You have completed WordPress installation.

 

Things to do 

  1. Install Let's Encrypt program to the server.
  2. Install SSL digital certification generated with Let's Encrypt to domain.
  3. Configuring SSL digital certification.
  4. Setting up auto digital certification renewal script (optional).

 

Let's install Let's Encrypt

Access the server through SSH; then install Let's Encrypt.

Command

Login to your server:
$ ssh -i ssh-key.pem ec2-user@example.com
Become root user:
[ec2-user@ip-172-31-9-204 ~]$ sudo su -
[root@ip-172-31-9-204 ~]# 
Stop some services:
[root@ip-172-31-9-204 ~]# service monit stop; service nginx stop; service php-fpm stop; service mysql stop
Install Let's Encrypt program:
[root@ip-172-31-9-204 ~]# chef-solo -o amimoto:letsencrypt -c /opt/local/solo.rb -j /opt/local/amimoto.json -l error
Restart stopped services:
[root@ip-172-31-9-204 ~]# service nginx start; service php-fpm start; service mysql start; service monit start

You have completed Let's Encrypt program installation.
Next is Install SSL digital certification to the domain.

 

Install SSL digital certification for the domain

In case install SSL digital certification for example.com

Command

Install SSL digital certification to the domain:
[root@ip-172-31-9-204 ~]# letsencrypt certonly -t -d example.com \
 -a webroot --webroot-path=/var/www/vhosts/example.com/ \
 --rsa-key-size 2048 \
 --server https://acme-v01.api.letsencrypt.org/directory
 

Note: replace example.com to your registered domain.

Email address to get notifications from Let's Encrypt:
Enter email address (used for urgent notices and lost key recovery) (Enter 'c'
to cancel): info+letsencrypt@example.com ※
Agree with Term of Service:

Hit [A] key then [Enter]/[Return] key.

Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A
  

Congratulations! Let's Encrypt is installed to the server.

Your certification and chain have been saved at

/etc/letsencrypt/live/example.com/fullchain.pem

 

 

Configuring SSL digital certification

You have finished installation of Let's Encrypt and SSL digital certification. Let's configure server settings in configuration file placed in /etc/nginx/conf.d/example.com-ssl.conf

Firstly, copy and rename current configuration file. example.com.conf to example.com.conf, then edit it.

Make copy and configuration for example.com

Commands and Settings

[root@ip-172-31-9-204 ~]# cd /etc/nginx/conf.d
[root@ip-172-31-9-204 /etc/nginx/conf.d]# cp example.com.conf example.com-ssl.conf
[root@ip-172-31-9-204 /etc/nginx/conf.d]# vi example.com-ssl.conf
  

Hit [i] key to start modifying the file.

server {
    listen      443 ssl http2;
    server_name example.com;
    root        /var/www/vhosts/example.com;
    index       index.html index.htm;
    charset     utf-8;

    ssl on;
    ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers AESGCM:HIGH:!aNULL:!MD5;
    ssl_session_cache   shared:SSL:10m;
    ssl_session_timeout 5m;

    access_log  /var/log/nginx/example.com-ssl.access.log  main;
    error_log   /var/log/nginx/example.com-ssl.error.log;

[...skip the rest...]

When you have finished editing, hit [Esc] key. Then save changes with pushing [Shift] key and [z] key twice ([Shift]+[z][z]).
Then restart nginx applying changes.

Command

[root@ip-172-31-9-204 /etc/nginx/conf.d]# service monit stop && service nginx restart
[root@ip-172-31-9-204 /etc/nginx/conf.d]# service monit start

 

Additionally, if your WordPress is active and you want to force HTTPS access, you should add one line return 301 https://example.com$request_uri; on /etc/nginx/conf.d/example.com.conf

Command

  [root@ip-172-31-9-204 /etc/nginx/conf.d]# vi example.com.conf

Hit [i] key to start modifying the file.

server {
	listen      80;
	server_name example.com;
	root        /var/www/vhosts/example.com;
	index       index.html index.htm;
	charset     utf-8;
	return 301 https://example.com$request_uri;

[...skip the rest...]

When you have finished editing, hit [Esc] key. Then save changes with pushing [Shift] key and [z] key twice ([Shift]+[z][z]).
Then restart nginx applying changes.

[root@ip-172-31-9-204 /etc/nginx/conf.d]# service monit stop && service nginx restart
[root@ip-172-31-9-204 /etc/nginx/conf.d]# service monit start

That's all for install and setting-up Let's Encrypt; and modifying server configurations.

 

Setting up auto  digital certification renewal script (optional)

Let's Encrypt will expire its certification in 90 days. It's a good idea to set check and renewal script

* Example of run letsencrypt renew every Monday 1:00 AM

Command

[root@ip-172-31-9-204 /etc/nginx/conf.d]# crontab -e

Hit [i] key to start modifying the file, then copy following two lines and paste there:

# Renewing Lets Encrypt certificate
0 1 * * 1 /opt/letsencrypt/bin/letsencrypt renew && /sbin/service nginx restart > /dev/null 2>&1

When you have finished editing, hit [Esc] key. Then save changes with pushing [Shift] key and [z] key twice ([Shift]+[z][z]).
Then restart nginx applying changes.
That's all for optional settings!

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk