I wanted to easily add web security to a static AWS EC2 website to improve the search rankings. I found a guide by Ivo Petkov however there were a few problems with his instructions.
I followed his advice:
sudo yum install python27-devel git mkdir ~/Src/letsencrypt cd ~/Src/letsencrypt git clone https://github.com/letsencrypt/letsencrypt ./letsencrypt-auto --debug
This error was reported
./letsencrypt-auto: line 654: virtualenv: command not found
I checked and found this was a python package that wasn’t installed. So I used pip, but that wasn’t installed. So..
sudo yum install python34 cd ~/Src curl -O https://bootstrap.pypa.io/get-pip.py python3 get-pip.py --user
I added ~/.local/bin to my searchpath by editing ~/.bash_profile
Then before I added the package, I typed
chgrp wheel /usr/local/lib/python3.4/site-packages/ chmod g+w /usr/local/lib/python3.4/site-packages/ pip install virtualenv
Still, when I repeated the letsencrypt command, I got the same error. Let’s make sure virtualenv is installed. Aha! I found /usr/bin/virtualenv-2.7. So I typed the following to make virtualenv point to the real location
cd /usr/bin sudo ln -s virtualenv-2.7 virtualenv
I then repeated the command
and it works. I had to give the real name of the machine. That is, I had to say “www.example.com” instead of “example.com”. I also had to answer some questions, and I took the suggested responses. So I next typed, as Ivo suggested, the following to use a larger key
echo "rsa-key-size = 4096" >> /etc/letsencrypt/config.ini
echo "email = email@example.com" >> /etc/letsencrypt/config.ini
I repeated the above letsencrypt –debug command, and it warned me about doing to many of these cert requests. Okay. Let’s make sure the renew works.
I wrote a simple script for cron, which I called ~/Cron/Renew
#!/bin/sh PATH=/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/opt/aws/bin:/home/ec2-user/bin:/opt/aws/bin:/home/myusername/.local/bin export PATH $HOME/Src/letsencrypt/letsencrypt-auto renew --config /etc/letsencrypt/config.ini --agree-tos >>$HOME/Cron/renew.log 2>&1 sudo apachectl graceful >>$HOME/Cron/renew.log 2>&1
I tested this by executing it. Looks good. Notice that when I executed letsencrypt on the EC2 instance, and I didn’t use –debug, it would not let me proceed. But once it was set up, and I am just renewing the cert, the –debug option isn’t needed.
I next added a line to my crontab to renew once a month.
33 7 1 * * /home/myusername/Cron/Renew
Changing my score from F to A
After getting this all checked, I discovered that letsencrypt already had https running on my apache server. Excellent. So I went to ssllabs and checked my score. Not good..
While my current score was B, it said next month I’d get an F. There was support for RC4 and other weak crypto. But this is where EFF’s advice is better than Ivo’s.
I looked at the file
and copy these values to the appropriate place in Apache’s config file
I then executed “apachectl graceful”, and went to ssllabs, and tested my server. I had an A
Excellent. Thanks Ivo and EFF.