Embedded SSL certificate in AWS with Let's Encrypt

general trend

1.Let's Encrypt installation

2.SSL server certificate acquisition

3. Configure SSL on the web server

4. The site I referred to

There are some commands that require root privileges in the middle of the process, but without granting root privileges.
sudo su -
It is recommended that you run all commands as root with


1. Install Let's Encrypt

First of all, download Let's Encrypt.
You can clone repositories anywhere you want.
If you don't have git installed, please install it.

sudo yum -y install git
git clone https://github.com/letsencrypt/letsencrypt

It is the installation of Let's Encrypt which I downloaded.
The required packages will also be installed with it.

cd letsencrypt
sudo . /letsencrypt-auto -debug -help

If the installation fails at this time due to pip-related issues, you may need to update your pip.
pip is a package management system written in Python.

sudo pip install -upgrade pip
sudo pip install -upgrade virtualenv
# If you are told that the command cannot be found at this time, please execute ↓↓↓↓.
#sudo /usr/local/bin/pip install -upgrade virtualenv

2.Obtaining a server certificate

When you have finished installing Let's Encrypt, you will need to obtain an SSL certificate for your website.
When you execute the following command, the web server will be accessed, so if you have a firewall restriction, please note that it may fail depending on the restriction.

. /letsencrypt-auto certonly -webroot -w /var/www/html -d www.example.com -m xxx@gmail.com -agree-tos

If the following is displayed, it is success.

- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/blog.apar.jp/fullchain.pem. Your cert will
expire on 2016-05-18. To obtain a new version of the certificate in
In the future, simply run Let's Encrypt again.
- If you like Let's Encrypt, please consider supporting our work by:

About Options

  • -webroot
  • They are going to use the currently running web server to get the certificate.
    If you don't have a running web server, you can specify "-standalone" instead of "-webroot".
  • -W
  • Specify the path of the document root
  • -d
  • Specify a domain name
  • -m
  • Specify your email address
  • -agree-tos
  • I agree to the Terms of Use

Also, if the port number of the running web server is not default, you can specify it ↓↓↓

-http-01-port 8080 #HTTP
-tls-sni-01-port 4443 #HTTPS

Where to save the certificate

You can't access it without root privileges, so you'll have to check with root.

  • credentials
  • /etc/letsencrypt/live/domain-name/cert.pem
  • Certificate + Intermediate CA Certificate
  • /etc/letsencrypt/live/domain-name/fullchain.pem
  • private key
  • /etc/letsencrypt/live/domainname/privkey.pem
  • intermediate CA certificate
  • /etc/letsencrypt/live/domainname/chain.pem

3. Configure SSL on the web server

For apache

Edit the /etc/httpd/conf.d/ssl.conf file
You can find it by searching for SSLCertificate.

SSLCertificateFile /etc/letsencrypt/live/domainname/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domainname/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/domainname/chain.pem

service httpd reload

In the case of nginx

Edit the /etc/nginx/nginx.conf file.
You can find it by searching for ssl_certificate

ssl_certificate "/etc/letsencrypt/live/domain-name/cert.pem";
ssl_certificate_key "/etc/letsencrypt/live/domainname/privkey.pem";

service nginx reload

4. The site I referred to