LE on AWS EC2 AMI for Beginners

Go ahead. Chuckle. Actually not THAT beginner, but stuck.

I’m in the midst of a moderate learning curve, transitioning from shared hosting to AWS. Right now dealing with one very small Joomla site that seems to be working fine after having been transferred over to AWS. It seemed like a good place to take a stab at adding a LE certificate.

I mean, how hard can it be?

As far as LE, I started with the https://letsencrypt.org/getting-started/ page, and ran into a brick wall! (see here for more discussion on that)

After the requisite round of Googling, and after much trial and error, mixing bits and pieces of suggested CLI stuff from various allegedly complete “how-to” pages, I have four .pem files in place under etc/letsencrypt/live/{mydomain}/

cert.pem chain.pem fullchain.pem privkey.pem

It’s my understanding that there now needs to be another step to make this whole thing work (with apache?), and then one more to set up autorenewal. (cron?) And that is where I’m stalled.

Everything that I’ve tried, and honestly I’ve lost track of much of it, has failed to move things ahead.

Assuming I’m using CLI, exactly what command should I do next, and where in the whole directory structure should I be when I do it? ( yes, I still sometimes get a bit lost when wandering around looking for stuff.)

I feel like I’m about half way there, and would be delighted to figure out the last couple of steps.

Followup: Returned to one of the pages I found yesterday. Just tried:

/opt/letsencrypt/letsencrypt-auto renew --config /etc/letsencrypt/config.ini --agree-tos && apachectl graceful and got:

letsencrypt: error: File not found: /etc/letsencrypt/config.ini

Followup #2: Tried

echo “rsa-key-size = 4096” >> /etc/letsencrypt/config.ini

And it has created the config.ini file. The renew command now works.

I swear I ran that yesterday and it did nothing.

Followup #3: Based on this Amazon tutorial I did these:

sudo yum install -y mod24_ssl
sudo service httpd restart

Which seem to have done what they say. Still haven’t found the missing link.

I’m not certain what your exact question is. If you’re looking for the steps needed to make your existing apache configuration use SSL, I’d recommend using Mozilla’s SSL Configuration generator.

Hello pfg. If there are “steps” on that page I can’t see them. I can see that it creates a chunk of code that (I assume) goes into some apache config file somewhere, but that’s where I’m bogged.

( A variation on that is also here)

The obstacle is pretty simple: all of this assumes that the End User (me) knows where the apache config files are located (on an EC2 AMI instance), what it’s called, what needs to be edited within them, and the best route to doing that.

Those are some pretty significant assumptions.

The exact question was: I have four .pem files on my server. What do I need to do to make them functional?

Let’s Encrypt does provide automatic configuration of apache on certain distributions. I haven’t personally tried this on AMI, so you’d have to do some testing there first. If you’re not familiar with apache’s configuration syntax, I’d recommend investigating that option (i.e., consider switching to a distribution that fully supports auto-configuration if that’s not the case on AMI).

These things are slightly different on every distribution (there’s no “apache configuration standard”), which is why it’s hard to provide specific instructions for every OS out there. If we take a look at the documentation AWS provides (the one you linked), it looks like AMI has a centralized ssl.conf file at /etc/httpd/conf.d/ssl.conf, so you’d add (or edit) the SSL directives in there. On other distributions, you usually have dedicated files for every <VirtualHost> your web server has, and in that case you’d add the SSL directives there.

There's no actual "steps" on that page unfortunately, it assumes you just needed the configuration snippets to add to an already functioning Apache config.

Keep in mind that there are no special considerations or special settings that Apache needs to use Let's Encrypt. They're just certificates like any other. When I originally set up my websites (mail with roundcube, ownCloud for cloud services) I used self signed certificates. When I started using Let's Encrypt, I used the client to simply generate certificates (using "certonly") and then I manually adjusted my Apache config to point to my new certs instead of my old. No further changes were required.

There are plenty of guides online about configuring Apache. Sorry to be vague, but this forum is about Let's Encrypt issues and guides, not generic Apache setups.

That said, I hope I can point you in the right direction!

I'm running FreeBSD, so Apache's config files are arranged a bit different than they are on many linux systems, so don't take what I'm saying too literally (as I said, I'm hoping to point you in the right direction rather than give you a step-by-step guide).

Did you create your certificates with "certonly" or did you use the "--apache" plugin? That makes a big difference on how to proceed. (I used certonly since I don't like my configurations being messed with!) I'm going to assume you used "certonly" since the client would have otherwise configured Apache for you.

You need to edit three main Apache files (or two if you only have one site). First is httpd.conf. That needs to be configured to suit your system (server hostname, server admin, etc). There are plenty of guides online to help with that.

Next will be named something like ssl.conf and (for me) it's under the "extras" subdirectory. This is where the default setup for SSL is placed. It will also point to your default SSL website (that is, what people see if they enter an IP as opposed to your domain name). This is where you tell Apache your certificate locations, stapling settings, cipher suites, etc. Again, lots of guides online.

Lastly you need to set up your vhosts file(s). Not sure where to look on your system, but on mine it's under the "extras" subdirectory and is called something like http-vhosts.conf. It's basically similar to the defined website part of ssl.conf, except you can have multiple website defined. The "servername" decides what site gets served and what certificates it uses for each site.

The other consideration is keeping your certificates renewed. You don't need to specify "config.ini" when renewing - when creating the certificates, the Let's Encrypt client saves your settings and uses them again to renew. You should only need to specify "letsencrypt renew" and the client will check your certs, and renew them if they have less than 30 days to expire. Apart from the "live" directory under letsencrypt, there's also a "renew" directory. This is where the settings used to create certificates are saved. Once created, you don't need to specify the ini or agree to the TOS, since you've already done that!

I hope that helps clarify what you need to focus on. If you're still having issues, you might want to try getting Apache working without SSL. Once you've demonstrated your Apache config is working and serving pages, then you can focus on configuring SSL. When you do everything at once, you never know what the problem is!

Apache was already serving up pages just fine before I stared this adventure,

By way of more follow up, after looking at https://mozilla.github.io/server-side-tls/ssl-config-generator/ and https://ivopetkov.com/b/let-s-encrypt-on-ec2/, I opted to try the second, simpler looking one, and edited my ssl.conf to match (with my own specifics of course.) then restarted apache.

Figured out that Filezilla didn’t upload the new ssl.conf. Edited it instead in vim (yikes!) and promptly had a server that wouldn’t start.

Let’s hear it for saving previous versions.

I’ve got another project lined up, and may try a new from scratch LE installation and see if I can scope out what went awry.