Skip to content

Instantly share code, notes, and snippets.

Last active January 17, 2022 03:36
Show Gist options
  • Save devlinjunker/f46d95ba6fb5a91cec93c2f24a3466d2 to your computer and use it in GitHub Desktop.
Save devlinjunker/f46d95ba6fb5a91cec93c2f24a3466d2 to your computer and use it in GitHub Desktop.
HTTPS Setup/Renewal on AWS

Adding a subdomain to the server

  1. Create new entry in /conf.d
  • for SSL certified host
<VirtualHost *:443>
 ServerName (e.g.
 ..Rest of apache host settings..
  1. Configure domain host DNS resource records (on domain host webportal)
  • Name: (e.g.
  • Type: A
  • TTL: 1 min (could probably be 1 hour?)
  • Value: <ip_address_of_host>

Renewing HTTPS on AWS AMI

  • sudo certbot -i apache -a manual --preferred-challenges dns -d -d
    • Follow instructinos to add DNS TXT Resource Record in Domain DNS Settings
    • Wait 5+ minutes before accepting/validating record updated

Saw this though:

Failed redirect for
Unable to set enhancement redirect for
Unable to find corresponding HTTP vhost; Unable to create one as intended addresses conflict; Current configuration does not support automated redirection

 - We were unable to set up enhancement redirect for your server,
   however, we successfully installed your certificate.
 - Congratulations! Your certificate and chain have been saved at:
   Your key file has been saved at:
   Your cert will expire on 2021-05-14. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"

Tools for Verifying:

Setting up HTTPS on AWS AMI


  • wget -O epel.rpm –nv
  • sudo yum install -y ./epel.rpm
  • sudo yum install python2-certbot-apache.noarch
  • sudo certbot -i apache -a manual --preferred-challenges dns -d -d
    • Add DNS TXT Resource Records to Google Domain Settings
    • Name: _acme-challenge, Value: <provided>

Renewing HTTPS Certs

----- OLD ------

Strange things while attempting to renew... 🤔

  • Attempted to run certbot-auto after ssh in
    • Performed update
    • Failed with Error: couldn't get currently installed version for /opt/
  • Removed installation directory in /opt/
  • Removed certbot-auto binary
  • Retreived newer version with wget and set permissions chmod a+x certbot-auto
  • Attempted to run sudo certbot-auto
    • Failed with FATAL error about Amazon being Expiremental
    • Reran with sudo certbot-auto --debug
      • Failed again with ImportError: No module named cryptography
      • installed missing modules with sudo /opt/ install cryptography interface zope.proxy zope.hookable

SUCCESS Updating certificates in /etc/letsencrypt/live/

Setting up HTTPS on AWS

----- OLD ------

  • SSH to Server
  • Download Certbot
    • wget
    • chmod a+x certbot-auto
  • Make sure Apache is configured correctly with domain in /etc/httpd/conf/http.conf
  • Run sudo ./certbot-auto --apache
    • Will have to answer some questions about which domains you want to secure

Should update /etc/httpd/conf/httpd-le-ssl.conf
Adds to <VirtualHost *:443>:

ServerName <host>
ServerAlias www.<host>

SSLCertificateFile /etc/letsencrypt/live/<host>/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/<host>/privkey.pem
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment