Thanks to the EFF, we now have a lovely suite of tools for getting globally recognized and trusted SSL certificates for HTTPS via Lets Encypt and their management tool certbot.  

INSTALLATION

yum install python-certbot-apache certbot

INSTALLING NEW CERTIFICATE

certbot apache -d DOMAIN.TLD -d DOMAIN2.TLD
certbot certonly --webroot -w /var/www/html -d DOMAIN1.TLD -d DOMAIN2.TLD

RENEWAL OF EXISTING CERTIFICATE

Recommended to run regularly as the renewal will only occur if the expiry is within the next 30 days.

certbot renew
certbot renew --dry-run
certbot renew --quiet

AMAZON LIGHTSAIL / AWS ISSUES

Amazon has a few issues with certbot.  Here are the steps to get around them.

  • Install certificate
wget https://dl.eff.org/certbot-auto
./certbot-auto --debug certonly -d www.fqdn.tld -d fqdn.tld
  • To renew:
./certbot-auto renew
  • Now to install SSL support, if you have not for Apache (2.4 in my example),.
yum install mod24_ssl
  • Edit /etc/httpd/conf.d/ssl.conf to fix the following values
SSLCertificateFile /etc/letsencrypt/live/fqdn.tld/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/fqdn.tld/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/fqdn.tld/chain.pem
  • Lastly restart Apache
sudo service httpd restart