Brian Veltman

Journey of a DevOps Engineer

Let’s Encrypt on AWS Lightsail the right way

let's encrypt

Making use of free SSL certificates provided by Let’s Encrypt the right way. So you may wonder, the right way? Whats wrong with the original instructions from AWS?
Well, they are outdated and since Let’s Encrypt certificates expire every 90 days, you’ll need to go through the AWS instructions at least once every 3 months, yes that’s what AWS recommends at the end of the article! Trust me, you will quickly forget about this routine, and it’s 2021, we can automate pretty much anything. In fact, Let’s Encrypt recommends the latest certbot which makes renewing certificates a breeze.

At the end of this post you’ll be able to setup new SSL certificates which automatically renew once every 2 months.

Without any further ado, let’s get encrypted!

Let’s Encrypt certificates are valid for 90 days. Certificates can be renewed 30 days before they expire. To renew the Let’s Encrypt certificates, run the original command used to obtain them. Repeat the steps in the Request a Let’s Encrypt SSL wildcard certificate section of this tutorial.

AWS Lightsail documentation

Install snap

Certbot recommends the most users install certbot using snap. If you don’t have snap yet installed on your systems please refer to https://snapcraft.io/docs/installing-snapd/ for instructions.
If you have snap already installed (like Ubuntu) make sure you have all updates installed.

$ sudo snap install core; sudo snap refresh core

Remove outdated certbot packages

To ensure certbot won’t conflict with it’s ego from the past, it’s important to remove any former installations of certbot or certbot-auto from your system.
typically this can be done using one of the following commands.

# Ubuntu
$ sudo apt-get remove certbot

# Fedora
$ sudo dnf remove certbot

# CentOS / RHEL
$ sudo yum remove certbot

Installing certbot using snap

I’ll keep it simple and straightforward:

$ sudo snap install --classic certbot
$ sudo ln -s /snap/bin/certbot /usr/bin/certbot
$ sudo snap set certbot trust-plugin-with-root=ok

Optionally: Install certbot DNS plugin

Since we’ve been using AWS let’s leverage Route53 to automatically create DNS records to verify our ownership of our domain name.
Certbot does not come with a Route53 plugin pre-installed. To install the certbot route53 plugin execute:

$ sudo snap install certbot-dns-route53

Certbot supports quite a lot plugins to automatically update your DNS for verifying purposes. Refer to https://certbot.eff.org/docs/using.html#dns-plugins for a up-to-date overview of DNS plugins.

Optionally: Create AWS IAM policy and Route53 ARN

Think about it for a second. We’re going to set up a process that automatically renews your SSL certificates. Therefore certbot needs programmatic access to your DNS records. Since we’re using Route53 this can be done easily by creating IAM security credentials and an AWS config file at /home/johndoe/.aws/config. Note this is not the best nor secure practice to store credentials. To keep these steps easy to follow securely storing credentials are out of scope.

$ mkdir ~/.aws && touch config

Once you have created the config file, open it up in your favorite editor and add the following lines:

[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

Make sure you replace the access_key and secret with your own. If you want to know how to create these, please refer to https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/access-control-overview.html and https://certbot-dns-route53.readthedocs.io/en/stable/

Obtaining a valid SSL certificate

So now it’s time to request a valid SSL certificate. When you use the Route53 plugin this can be easilly done with the following command:

$ certbot certonly --dns-route53 --dns-route53-propagation-seconds 30 -d example.com

If all went well you should have a fullchain.pem and privatekey.pem file in your system. These files are needed to configure Apache or any other web server you’re using.
Since certbot does not have access to your server root we need to symlink the certificates from /etc/letsencrypt to /opt/bitnami/apache2/conf.

$ sudo ln -s /etc/letsencrypt/live/example.com/privkey.pem /opt/bitnami/apache2/conf/server.key
$ sudo ln -s /etc/letsencrypt/live/example.com/fullchain.pem /opt/bitnami/apache2/conf/server.crt

Restart apache afterwards:

$ sudo /opt/bitnami/ctlscript.sh restart apache

If you want to test a renewal, you can do so by running:

$ sudo certbot renew --dry-run

This will test the renewal process, including DNS verification.

Automate it all!

Perhaps the most important steps of all. I’m using cronjobs to automate the renewal of certifcates.
On Ubuntu you can easily create a cronjob using the crontab -e command. This will open up an editor where you can enter the following schedule.

# m h  dom mon dow   command
59 3 1 */2 * certbot renew && /opt/bitnami/ctlscript.sh restart apache

This will renew all certificates on the system on 3:59 AM, every 2 months on the first day. Or roughly said, every 60 days at 3:59AM.

That’s all!