To Nha Notes | June 24, 2021, 9:20 a.m.
Prerequisites:
First, we have to enable the EPEL repository for my Amazon EC2 instance running CentOS, RHEL, or Amazon Linux.
Install the EPEL release package for RHEL 7 and enable the EPEL repository.
Amazon Linux 2:
sudo amazon-linux-extras install epel -y
Amazon Linux Amazon Machine Image (AMI):
The EPEL repository is already installed on the original version of Amazon Linux, but you must enable it. You can enable this repository either by using the yum-config-manager command or by editing the epel.repo file.
sudo yum-config-manager --enable epel
Other OSs:
https://aws.amazon.com/premiumsupport/knowledge-center/ec2-enable-epel/
Install and configure Let's Encrypt:
Install Certbot:
$ sudo yum install certbot python2-certbot-nginx # Nginx server $ sudo yum install certbot python2-certbot-apache # Apache server
Issue an certificate for the domain:
$ sudo certbot certonly \
--manual \
--manual-public-ip-logging-ok \
-d EXAMPLE.com \
-d *.EXAMPLE.com \
--cert-name EXAMPLE.com \
-m nospam@EXAMPLE.com \
--preferred-challenges dns-01
--agree-tos \
--debug
The running script would ask to serve below static file via running web server serving for this domain.
Create a file containing just this data: 6ki1X6dQD80oPyTXR2Te3nreRh2vNeRk6vSiHcA7KXs.DvlS7uE_FtqZ_uuTi7f91HeKHJSfE3_oLCqFZVwSpDY And make it available on your web server at this URL: http://sample.com/.well-known/acme-challenge/6ki1X6dQD80oPyTXR2Te3nreRh2vNeRk6vSiHcA7KXs (This must be set up in addition to the previous challenges; do not remove, replace, or undo the previous challenge tasks yet.)
To do that, we can add below sample config to nginx.conf of port 80 and restart.
location /.well-known/acme-challenge/6ki1X6dQD80oPyTXR2Te3nreRh2vNeRk6vSiHcA7KXs {
add_header Content-Type text/plain;
return 200 "6ki1X6dQD80oPyTXR2Te3nreRh2vNeRk6vSiHcA7KXs.DvlS7uE_FtqZ_uuTi7f91HeKHJSfE3_oLCqFZVwSpDY";
}
Then enter to continue, and continue follow its instruction.
Set web server config (nginx):
ssl_certificate /etc/letsencrypt/live/EXAMPLE.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/EXAMPLE.com/privkey.pem;
Cron Settings (CentOS 7 / Amazon Linux 2):
$ sudo vi /etc/crontab # Let's Encrypt Renewal - Nginx 39 11,23 * * * root /usr/bin/certbot renew --no-self-upgrade --renew-hook "systemctl restart nginx" # Let's Encrypt Renewal - Apache 39 11,23 * * * root /usr/bin/certbot renew --no-self-upgrade --renew-hook "service httpd restart"
To manually renew certificate of Let's Encrypt, run below command:
certbot certonly --manual --preferred-challenges dns-01 --agree-tos -d <YOUR_DOMAIN>
Then, deploy a DNS TXT record under the name _acme-challenge. with the following generated value:
rFI1Nwk3VzyNHGsFdGbiNGXXXXXXXXXXXXXXXXXXXX
Restart web server
Then we just run rebot renew && systemctl restart nginx.service to renew SSL in future.
Below notes explains more detail how to install and configure Let's Encrypt on on CentOS7 (Amazon Linux 2).
https://certbot.eff.org/instructions?ws=nginx&os=pip
https://qiita.com/katzueno/items/c2d910a2773c5aa74159
https://dev.to/katzueno/setting-up-let-s-encrypt-on-amazon-linux-2-57l7