What is Let’s Encrypt?

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).

The key principles behind Let’s Encrypt are:

  • Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost.
  • Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.
  • Secure: Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers.
  • Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect.
  • Open: The automatic issuance and renewal protocol will be published as an open standard that others can adopt.
  • Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.

Getting Started

Before following this tutorial be sure to configure your EC2 instance with an elastic IP and attach a standard domain name to it. When you visit the domain name you should see your EC2 site but the beginning of the URL will remain HTTP.


Installation

Install Letsencrypt scripts. Replace something.com with your domain name.

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto certonly -w /home/bitnami/htdocs -d something.com

-w is where your webroot is located and the multiple -d flags are for the domains that you want to secure. You can secure multiple domains such as this.something.com

The cert files are written to /etc/letsencrypt/live

Now update Apache to use the new certificates

sudo vim /home/bitnami/stack/apache2/conf/bitnami/bitnami.conf

Comment out the default SSL Certificate lines so that you are left with the following 3 lines.

SSLCertificateFile "/etc/letsencrypt/live/something.com/cert.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/something.com/privkey.pem"
SSLCertificateChainFile "/etc/letsencrypt/live/something.com/fullchain.pem"

Restart the LAMP stack.

sudo /opt/bitnami/ctlscript.sh restart

Now when you visit your site you will see the green padlock and SSL working.

Renewal Command

To renew your LetsEncrypt certificate, go to the place where you installed the LetsEncrypt client.

./letsencrypt-auto renew

Then restart your web server and you should see the renewed certificate being served to your site visitors.