Open in app

Sign in

Write

Sign in

Let’s encrypt SSL certificate setup on AWS

Amit Kumar Gupta
3 min readJul 31, 2019

Easy and short

You must be aware that Letsencrypt provides the free SSL/TLS certificate which is the huge benifit for small organizations. Instead of going to discuss its positive and negative aspects, let’s dscuss how to set it up for you backend application/website.

I tried with certbot previously by following the instructions on their official site, AWS documentation, and other articles but everything failed on AWS due to its dependencies. So this time I tried with acme.sh which hides all the complexities and makes the process very easy. So let’s start;

Login to your ec2 instance from the terminal and follow these steps.

Step 1: Install acme.sh

This is one time activity.

curl https://get.acme.sh | sh

Step 2: Issue the certificate

Manual mode

First it needs to verify if you own the domain.

$ acme.sh — issue — dns -d example.com -d ‘*.example.com’Add the following txt record:Domain:_acme-challenge.example.com
Txt value:9ihDbjYfTExAYeDs4DBUeuTo18KBzwvTEjUnSwd32-c

:Please add those txt records to the domains. Waiting for the dns to take effect.

Login to your DNS provider like goddady and add the txt record with above entries. It may take some time to reflect over the network. So let’s verify it after 10–15 seconds with following command;

$ dig -t txt _acme-challenge.example.com

If it is able to find the txt record, issue the certificate.

$ acme.sh --renew -d example.com

Automatic mode

If you DNS provider supports API keys then you can opt for automatic mode, it’ll also take care of auto renewal of your certificate just before 3 months (certificate life). Visit wiki to know the detail relevant to your DNS provider. I’m taking GoDaddy as an example

  1. Login to your DNS provider and creates production api keys.

Please note that you copy the key and secret on safe place. Once you close the window, you can’t see the secret again.

2. Login to AWS ec2 instance from terminal and export api keys in environment variable. The name of the variable would be different for each DNS provider.

export GD_Key="sdfsdfsdfljlbjkljlkjsdfoiwje"
export GD_Secret="asdfsdafdsfdsfdsfdsfdsafd"

3. Run the following command to issue the certificate

$ acme.sh --issue --dns dns_gd -d example.com -d '*.example.com'

It’ll verify keys, add txt record against your domain using the keys, delete txt record once your domain is verified, and download certificate from letsencrypt.

The above command will place the certificate on following location

/home/ec2-user/.acme.sh/example.com/example.com.key

You need to configure this path in apache/nginx configuration. Eg

#...
http {
    #...
        server {
            listen       443 ssl http2 default_server;
            listen       [::]:443 ssl http2 default_server;
            server_name  _;
            root         /usr/share/nginx/html;
            ssl_certificate "/home/ec2-user/.acme.sh/example.com/example.com.cer";
            ssl_certificate_key "/home/ec2-user/.acme.sh/example.com/example.com.key";#...
}

Don’t forget to reload/restart your server to reflect the changes.

$ sudo service nginx reload

All done.

Feedback

Feedbacks are important to understand how can I improve and bring more useful materials. Please clap this article, or comment here.

Https
AWS
Lets Encrypt
Ssl
Nginx

--

--

Amit Kumar Gupta

Written by Amit Kumar Gupta

38 Followers

Umm.. seeking for some research work. You can find some on SoloThought.com

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams