Recently I introduced Let’s Encrypt on my EC2 instance so this is the record for the future. I have nginx as web server but the setting procedures were quite straightforward and easy with Certbot. One thing unique on Amazon Linux is you have to add --debug option to run some of the commands.

System Information

$ cat /etc/os-release
NAME="Amazon Linux AMI"
VERSION="2016.09"
ID="amzn"
ID_LIKE="rhel fedora"
VERSION_ID="2016.09"
PRETTY_NAME="Amazon Linux AMI 2016.09"
ANSI_COLOR="0;33"
CPE_NAME="cpe:/o:amazon:linux:2016.09:ga"
HOME_URL="http://aws.amazon.com/amazon-linux-ami/"
$ cat /proc/version
Linux version 4.4.41-36.55.amzn1.x86_64 (mockbuild@gobi-build-60008) 
(gcc version 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC) ) #1 SMP Wed Jan 18 01:03:26 UTC 2017

Installation

First you should check this page. I ended up choosing Nginx and CentOS6 for my case. The commands below are basically from that instruction.

$ wget https://dl.eff.org/certbot-auto
$ chmod a+x certbot-auto
$ sudo mv certbot-auto /usr/local/bin/certbot-auto
$ sudo /usr/local/bin/certbot-auto --nginx --debug
......
Total download size: 67 M
Is this ok [y/d/N]: y
Downloading packages:
......
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): YOUREMAIL@EXAMPLE.COM
......
Please read the Terms of Service at
......
(A)gree/(C)ancel: A
......
Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: y-mzt.info
2: www.y-mzt.info
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Obtaining a new certificate
......
Deployed Certificate to VirtualHost /etc/nginx/conf.d/virtual.conf for set(['alias', 'www.y-mzt.info', 'y-mzt.info'])
......
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
......
Congratulations! You have successfully enabled https://y-mzt.info and
https://www.y-mzt.info
......

Setup Auto Renewal

Certificates from Let’s Encrypt expire in 90 days. You wouldn’t want to renewal your certificate 4 times a year. But fortunately we can automate it. Following this Certbot page (See “Automating renewal” section) , I setup my cron so that the cert automatically gets updated.

$ sudo crontab -l
# Renew Let's Encrypt twice per day as recommended here
# https://certbot.eff.org/all-instructions/ ("Automating renewal")
15 */12  * * * /usr/local/bin/certbot-auto renew --no-self-upgrade --debug