I have a site need to be implemented on AWS EC2 with SSL for my daughter.
We already have some sites with test running on it.
So we set up VirtualHost for it.
After it can work on AWS EC2, I imported Certbot for it.
It is a installed package with AWS Linux already and this is a subdomain for gxlcs.com, like temp.gxlcs.com.
We only have few steps need to do.
1. sudo yum install certbot
2. sudo systemctl start certbot-renew.timer
3. sudo certbot certonly
4.
How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Runs an HTTP server locally which serves the necessary validation files under
the /.well-known/acme-challenge/ request path. Suitable if there is no HTTP
server already running. HTTP challenge only (wildcards not supported).
(standalone)
2: Saves the necessary validation files to a .well-known/acme-challenge/
directory within the nominated webroot path. A seperate HTTP server must be
running and serving files from the webroot path. HTTP challenge only (wildcards
not supported). (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): webmaster@gxlcs.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf. You must agree in
order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Account registered.
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): temp.gxlcs.com
Requesting a certificate for temp.gxlcs.com
Input the webroot for temp.gxlcs.com: (Enter 'c' to cancel):
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
does not exist or is not a directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Input the webroot for temp.gxlcs.com: (Enter 'c' to cancel): /var/www/html/temp
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/temp.gxlcs.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/temp.gxlcs.com/privkey.pem
This certificate expires on 2024-07-11.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5. sudo systemctl is-enabled httpd
if the response is [disabled], need to run #6.
6. sudo systemctl start httpd && sudo systemctl enable httpd
7. sudo yum update -y
8. sudo yum install -y mod_ssl
9. After #8, it will create a conf file with name ssl.conf in /etc/httpd/conf.d/
10. sudo nano /etc/httpd/conf.d/ssl.conf
11. specify the [SSLCertificateFile] and [SSLCertificateKeyFile] with the path where you keep the key and certificate.
12. sudo systemctl restart httpd.service
13. Because we have VirtualHost, you also may need to change VirtualHost setup with where you put the DocumentRoot and Server Name.
14. As we have permitted the 443 port traffic in AWS Console, I mean inbound rule under security group, so the traffic is not problem.
15. I use CLOUDFLARE to provide security for site (Free version), so we also need to add a CNAME DNS record for this site. You can enter the AWS EC2 Instance tag, then confirm public DNS name which will be used in CLOUDFLARE CNAME DNS record CONTENT.
OK, Now your site will go ahead in the net with SSL.
I will add the screenshot when I have time, sorry for any inconvenience.
Additional: I also have a security test for the site.
you can refer to below URL:
Qualys