{"id":785,"date":"2016-02-10T21:25:01","date_gmt":"2016-02-11T05:25:01","guid":{"rendered":"https:\/\/cloudinsidr.com\/content\/?p=785"},"modified":"2018-09-04T09:18:47","modified_gmt":"2018-09-04T17:18:47","slug":"how-to-set-up-letsencrypt-the-ssl-certificate-engine-for-the-cloud-era-of-hyperscale-on-aws-ec2","status":"publish","type":"post","link":"https:\/\/www.cloudinsidr.com\/content\/how-to-set-up-letsencrypt-the-ssl-certificate-engine-for-the-cloud-era-of-hyperscale-on-aws-ec2\/","title":{"rendered":"How to set up Letsencrypt certificates on AWS EC2"},"content":{"rendered":"

[updated 2018-06-12] As browser makers continue their push for HTTPS and mobile applications are becoming the target of MITM (man-in-the-middle) attacks, cloud\u00a0developers and administrators are scrambling to find affordable SSL certificates that can live up to the demands of the cloud era. Enter Let\u2019s Encrypt, a new Certificate Authority that is open, fully automated, and free to use, with an almost unprecedented, generous allotment of 100 host names per certificate. Let\u2019s Encrypt delivers on the promise of a worry-free, fully encrypted web 3.0<\/span>.<\/span>\u00a0Cloud Insidr\u00a0lifts the veil off of Let\u2019s Encrypt’s setup, configuration, its few surprises and hidden gems.<\/p>\n

<\/p>\n

The breakneck pace\u00a0of growth of cloud services\u00a0calls for a new approach to security certificates. One such initiative is Let’s Encrypt (letsencrypt<\/a>).<\/p>\n

Let\u2019s Encrypt is a new Certificate Authority brought to you by the Internet Security Research Group: it is\u00a0free<\/strong>, automated<\/strong>, open<\/strong>, and backed by some of the most respected names in\u00a0the IT industry.<\/p>\n

So what’s in it for you? If you don’t mind the 90 day renewal period (with an infinite number of extensions),\u00a0you can avail yourself of SSL certificates that support up to 100 domains each. What’s not to like about it? It’s automated, open, and free.<\/p>\n

You can test-drive the letsencrypt school of thought on\u00a0your web and\/or mail servers.\u00a0Here is how to get started.<\/p>\n

\"Letsencrypt<\/a>
This is how the end result will look like in a web browser: certificate information for a Letsencrypt certificate<\/figcaption><\/figure>\n

Step 1. Check the compatibility of your software stack<\/h2>\n

To check the compatibility of your software stack, navigate to:<\/p>\n

https:\/\/certbot.eff.org\/<\/pre>\n
and enter the details of your software stack to receive installation instructions.<\/p>\n
\"the<\/a>
The Certbot wizard<\/figcaption><\/figure>\n
Depending on your system, you will either be using the certbot<\/strong> utility (on newer OSes) or letsencrypt<\/strong> (on older systems). If you use an alternative installation method, the script on your system may be named\u00a0certbot-auto<\/strong>. In the following steps, these three names are interchangeable<\/strong>.<\/p>\n
If you are able to\u00a0install letsencrypt on the machine that will be both issuing and using the certificate(s), follow the steps below; otherwise, refer to\u00a0this post<\/a>\u00a0for the manual method.<\/p>\n
For example on Fedora, you can set up letsencrypt’s certbot tools for NGINX using the command:<\/p>\n
dnf install certbot-nginx<\/pre>\n
Step 2. Complete your DNS configuration<\/h2>\n
Make sure that the DNS configuration of your server is correctly referencing\u00a0the IPv4 and IPv6 address of the host which\u00a0is going to\u00a0be furnished with\u00a0the certificate(s).<\/p>\n
Step 3. Set the defaults for letsencrypt<\/h2>\n
To set global defaults\u00a0for letsencrypt, create the\u00a0cli.ini<\/strong> configuration file.<\/p>\n
nano\u00a0\/etc\/letsencrypt\/cli.ini<\/strong><\/pre>\n
For example, to\u00a0use a 4096 bit RSA key instead of 2048, save this information in the\u00a0cli.ini<\/strong> file, preferably in its default location at \/etc\/letsencrypt\/:<\/p>\n
# Use a 4096 bit RSA key instead of 2048\r\nrsa-key-size = 4096<\/pre>\n
Configuration files responsible for setting up certificate-specific defaults for letsencrypt are located in the following directory:<\/p>\n
\/etc\/letsencrypt\/renewal<\/pre>\n
Make a backup of these files.<\/p>\n
Step 4. Generate a new or extend an existing certificate<\/h2>\n
The certbot\/letsencrypt utility uses plugins which can provide the following functionality:<\/p>\n