Setting up a Free SSL/TLS Certificate on AWS EC2 and other Servers
A few months ago, I set up an AWS Free Tier account and started exploring AWS services. After gaining some familiarity with EC2, RDS and S3, I decided to host my Laravel project on EC2. So, I registered a domain with GoDaddy and hosted it on the EC2 instance of my AWS account. So far so good.
Next, it was time to demo the alpha version of website to an outsider. Though the application was still in alpha version, it would look unprofessional if the browser address bar displays, “Your connection to this site is not secure.”
SSL Certificate Price
As my domain registrar is GoDaddy, I thought that it would be easy to buy the SSL certificate from GoDaddy, and its installation on my website would be seamless. I was a little surprised at the cost of the SSL certificate shown on the GoDaddy website. (The cheapest price I could find was CAD 56/year with a 2-year term.) Later, I learnt that I could buy the SSL certificate from any company and the web search gave me the price range from $10 to $699/year!
Next, when I searched for instructions to install the SSL certificate on my website, it scared me — every tutorial/YouTube video had different set of instructions. I was scared that after paying for SSL certificate and installing it on my website, what if it does not work, and in the worst case scenario, what if my website goes down!
certBot — The Free and Easy Route
I emailed my problem to my old colleague Andrew St Denis, who is an IT expert, and he told my about certBot which provides an easy way to install SSL certificate free for ever!
Certbot is a free, open source software tool for automatically using Let’s Encrypt certificates on manually-administrated websites to enable HTTPS.
Certbot is made by the Electronic Frontier Foundation (EFF), a 501(c)3 nonprofit based in San Francisco, CA, that defends digital privacy, free speech, and innovation.
Using certBot to install Let’s Encrypt Certificate
In case you are not familiar with Let’s Encrypt, it is a nonprofit Certificate Authority providing TLS certificates to 300 million websites. (TLS is an improved version of SSL.) certBot can help to install the Let’s Encrypt Certificate on your website running on AWS EC2 and other servers that run software like Apache, Nginx, Plesk and others on various systems, such as FreeBSD, Ubuntu, CentOD, Bitnami, Windows, Debian, etc. You just need to enter your software and system details on the instructions page and you get clear and easy to follow instructions to install Let’s Encrypt certificate on your server.
My Experience with certBot on AWS EC2 Ubuntu Nginx
My website is hosted on AWS EC2 with Nginx software on the Ubuntu platform. When I plugged in my software and system details on the instructions page, I received the following instructions:
- SSH into the server
- Install snapd: It provides a link to install snapd. However, when I checked the link, it mentioned that snapd is already installed on the Ubuntu version my server is running on, therefore I did not have to run this step.
- Ensure that your version of snapd is up to date
Execute the following instructions on the command line on the machine to ensure that you have the latest version ofsnapd
.
sudo snap install core; sudo snap refresh core
and, it displayed a message: certbot 1.31.0 from Certbot Project (certbot-eff✓) installed
4. Remove certbot-auto and any Certbot OS packages: You need to run this step only if you have previously installed any other Certbot package(s). Since no Certbot packages were previously installed on my server, I skipped this step.
5. Install Certbot: Run this command on the command line on the machine to install Certbot.
sudo snap install --classic certbot
6. Prepare the Certbot command: Execute the following instruction on the command line on the machine to ensure that the certbot
command can be run.
sudo ln -s /snap/bin/certbot /usr/bin/certbot
7. Choose how you’d like to run Certbot: You can either get and install the certificate, or just get the certificate. Since, I wanted to install the certificate for my website, I entered the following command to to get a certificate and have Certbot edit my nginx configuration automatically to serve it, turning on HTTPS access in a single step.
sudo certbot --nginx
And followed the prompts. It asked me to enter my email address, accept terms of service and choose domain(s) for the certificates. Then it requested the certificate from Let’s Encrypt, received the certificate and deployed it:
8. Test automatic renewal: The Let’s Encrypt certificates are valid for 90 days and certBot automatically renews them before they expire through a cron job or system timer. If you want to test the automatic renewal process, use the following command:
sudo certbot renew --dry-run
9. Confirm that Certbot worked: To confirm that your site is set up properly, visit https://yourwebsite.com/
in your browser and look for the lock icon in the URL bar. And, when I tested it for my website, I did see lock icon in the address bar.
Caution: If your site uses AWS S3 to display images, it is possible that after installing the Let’s Encrypt certificate, it may not display the images. If that happens, edit the S3 bucket policy and change aws:Referer from http to https, e.g.
10. List installed certificates: If you want to list installed certificates on your server, use the following command:
sudo certbot certificates
11. Manually Renew a Certificate: If you want to manually renew an installed certificate, use the sudo certbot renew --cert-name your_domain
command, e.g. the following command renews the certificate for app.silkweb.ca
sudo certbot renew --cert-name app.silkweb.ca
Conclusion
Enabling HTTPS on my website through certBot was such a wonderful experience — thanks to certBot and Let’s Encrypt who have provided the technology and tools free of charge to average users like me.