Generate Certificate with Certbot

Request Certification with certbot

This example will show to request certification for happenn.com and www.happenn.com

SSH to the server and check command 'certbot' is it available. If not, install it.

Use a pem/ppk key as credentials. You will get it from Server Admin. If you have problem using the key file you need to set permissions, follow this guide:

DOMAIN="happenn.com"
sudo certbot -d $DOMAIN -d www.$DOMAIN --manual certonly

First, we assign variable "DOMAIN" with the domain we want to get the certification. The reason we will use the variable instead of the string is because, the domain string will be use a few time, this will reduce the time need to typing the same domain again and again and also make copy paste be come more easier .On the second line with certbot command, we request certification for "happenn.com" and "www.happenn.com". If the domain you want to request is already a sub-domain. The second "-d www.$DOMAIN" can be remove.

The certbot will tell us to create a file in specific path with a specific text in it. This can be done via FTP or SSH. The file name and data will always contains the same text.

As in the image, the file name is "XKNxgoKHYVF4EA6s4eaDvHBxBp2auHhH1-NTzQggWls" which also contains inside the file data before the period.

For fast create file, you can open another SSH and use "cat" command to create a new file with the data

$ cat > XKNxgoKHYVF4EA6s4eaDvHBxBp2auHhH1-NTzQggWls
XKNxgoKHYVF4EA6s4eaDvHBxBp2auHhH1-NTzQggWls.XK2OCfKZ4m4Z0TspeuXcLFsGF3mRG90Tl5qXpHqi2II

After the file has been create, press enter to continue. Depend on how many sub-domain you will request the SSL for. You will need to create the file equal to that number. In this case, we want "happenn.com" and "www.happenn.com". We will need to create 2 files.

After getting a success message

$ sudo mkdir -m755 /home/ubuntu/.acme/$DOMAIN/
$ sudo cp /etc/letsencrypt/live/$DOMAIN/{cert,chain,privkey,fullchain}.pem /home/ubuntu/.acme/$DOMAIN/
$ sudo chmod -R 755 /home/ubuntu/.acme/$DOMAIN/

This will create create folder and move the certification files to another folder so that it can be download to your computer.

Add Certificate to Certificate Manager

After complete requesting certification files, you will have 4 files

• cert.pem

• chain.pem

• fullchain.pem

• privkey.pem

1. Go to AWS console and select service Certificate Manager

2. Click on Import a certificate

3. Put content inside the file in the box

   1. Certificate body: cert.pem

   2. Certificate private key: privkey.pem

   3. Certificate chain: chain.pem or fullchain.pem

4. Click Next

5. Click Review and import

6. Click Import

Add Certificate to Load Balancer

1. Go to AWS console and select service EC2

2. Select Load Balancing > Load Balancers

3. Select the Load Balancers that you want to assign certificate to.

4. Select Listeners tab

5. Select View/edit certificates on HTTPS : 443 row

6. Click + tab at the top

7. Select the certificate(s) you want to add and click Add

This will bind certificate(s) to the load balancer and doesn't need to setup SSL on the server itself as the load balancers will handle it for you.

Update Certificate

For updating the existing certificate, you can request a new one as long as it is soon to be expire. However, if the certificate is not yet soon to be expire, you will only able to request specific amount per day. You will get a message when requesting the certificate from certbot.

1. Go to AWS console and select service Certificate Manager

2. Click on the domain name you want to reimport

3. Click on Reimport Certificate and follow the same step as Import Certificate