Lets Encrypt on Aws Lightsail the Right Way
Make use of free SSL certificates provided by Let’s Encrypt the right way. So you may wonder, the right way? What’s wrong with the original instructions from AWS? Well, they are outdated and since Let’s Encrypt certificates expire every 90 days, you’ll need to go through the AWS instructions at least once every 3 months, yes that’s what AWS recommends at the end of the article! Trust me, you will quickly forget about this routine, and it’s 2021, we can automate pretty much anything. In fact, Let’s Encrypt recommends the latest certbot which makes renewing certificates a breeze.
At the end of this post, you’ll be able to set up new SSL certificates which automatically renew once every 2 months.
Without any further ado, let’s get encrypted!
Let’s Encrypt certificates are valid for 90 days. Certificates can be renewed 30 days before they expire. To renew the Let’s Encrypt certificates, run the original command used to obtain them. Repeat the steps in the Request a Let’s Encrypt SSL wildcard certificate section of this tutorial. –AWS Lightsail documentation
Install snap
Certbot recommends that most users install certbot using snap. If you don’t have snap yet installed on your systems please refer to https://snapcraft.io/docs/installing-snapd/ for instructions. If you have snap already installed (like Ubuntu) make sure you have all updates installed.
1sudo snap install core; sudo snap refresh core
Remove outdated certbot packages
To ensure certbot won’t conflict with its ego from the past, it’s important to remove any former installations of certbot or certbot-auto from your system. typically this can be done using one of the following commands.
1# Ubuntu
2
3$ sudo apt-get remove certbot
4
5# Fedora
6
7$ sudo dnf remove certbot
8
9# CentOS / RHEL
10
11$ sudo yum remove certbot
Installing certbot using snap
I’ll keep it simple and straightforward:
1sudo snap install --classic certbot
2sudo ln -s /snap/bin/certbot /usr/bin/certbot
3sudo snap set certbot trust-plugin-with-root=ok
Optionally: Install certbot DNS plugin
Since we’ve been using AWS let’s leverage Route53 to automatically create DNS records to verify our ownership of our domain name. Certbot does not come with a Route53 plugin pre-installed. To install the certbot route53 plugin execute:
1sudo snap install certbot-dns-route53
Certbot supports quite a lot of plugins to automatically update your DNS for verifying purposes. Refer to https://certbot.eff.org/docs/using.html#dns-plugins for an up-to-date overview of DNS plugins.
Optionally: Create AWS IAM policy and Route53 ARN
Think about it for a second. We’re going to set up a process that automatically renews your SSL certificates. Therefore certbot needs programmatic access to your DNS records. Since we’re using Route53 this can be done easily by creating IAM security credentials and an AWS config file at /home/johndoe/.aws/config. Note this is not the best nor secure practice to store credentials. To keep these steps easy to follow securely storing credentials are out of scope.
1mkdir ~/.aws && touch config
Once you have created the config file, open it up in your favorite editor and add the following lines:
1[default]
2aws_access_key_id=AKIAIOSFODNN7EXAMPLE
3aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Make sure you replace the access_key and secret with your own. If you want to know how to create these, please refer to https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/access-control-overview.html and https://certbot-dns-route53.readthedocs.io/en/stable/
Obtaining a valid SSL certificate
So now it’s time to request a valid SSL certificate. When you use the Route53 plugin this can be easilly done with the following command:
1certbot certonly --dns-route53 --dns-route53-propagation-seconds 30 -d example.com
If all went well you should have a fullchain.pem and privatekey.pem file in your system. These files are needed to configure Apache or any other web server you’re using. Since certbot does not have access to your server root we need to symlink the certificates from /etc/letsencrypt to /opt/bitnami/apache2/conf.
1sudo ln -s /etc/letsencrypt/live/example.com/privkey.pem /opt/bitnami/apache2/conf/server.key
2sudo ln -s /etc/letsencrypt/live/example.com/fullchain.pem /opt/bitnami/apache2/conf/server.crt
Restart apache afterward:
1sudo /opt/bitnami/ctlscript.sh restart apache
If you want to test a renewal, you can do so by running:
1sudo certbot renew --dry-run
This will test the renewal process, including DNS verification.
Automate it all
Perhaps the most important steps of all. I’m using cronjobs to automate the renewal of certificates. On Ubuntu you can easily create a cronjob using the crontab -e command. This will open up an editor where you can enter the following schedule.
1# m h dom mon dow command
259 3 1 */2* certbot renew --deploy-hook "/opt/bitnami/ctlscript.sh restart apache"
This will renew all certificates on the system at 3:59 AM, every 2 months on the first day. Or roughly said, every 60 days at 3:59 AM.
That’s all!