I keep forgetting how to enable SSL on my websites. I need a basic certificate I've no need for super certificates, I'm not a bank!
So LetsEncrypt, a free SSL certificate service will do the job nicely.

Here I describe how I install LetsEncrypt certificates using the GetSSL script on AWS EC2 instances.

All based on memory and looking at my bash history!

1. Get a terminal on your EC2 instance

I'm using SSH sessions to manage my EC2 instances. I think AWS offers a browser based terminal too but my preference is SSH.

I tend to do all this as root (may not be the best idea).

$ sudo su -

2. Get the GetSSL script onto your AWS EC2 instance

As I run as the root user, my installation of the script(s) and certificates will all end up in /root.
$ curl --silent https://raw.githubusercontent.com/srvrco/getssl/master/getssl > getssl ; chmod 700 getssl

3. Create and customise initial GetSSL config

After step 2 you will have the getssl script on your EC2 instance, now we will use that script to generate default configuration for the domain we're setting up.

You could optionally create a (symbolic) link at this point in /bin so the script is on the PATH and therefore usable without having to provide the full path to the script.
$ cd /bin
$ ln -s /root/getssl getssl

Of course you want to replace mydomain.com with your domain name (without www) in the instructions that follow.

This will create the basic config for "mydomain.com":
$ getssl -c mydomain.com

If you've also run these commands as root, your GetSSL config will live in /root/.getssl
As this is a 'dot' directory you will only see it with 'ls' if you use 'ls -a'.

In /root/.getssl you'll see a getssl.cfg, this is the default configuration. Options in this file will be used unless you override them with settings in the per-domain config files located in /root/.getssl/mydomain.com/getssl.cfg

Now you want to edit the domain specific config: /root/.getssl/mydomain.com/getssl.cfg

A config file for one of my AWS hosted domains setup recently (I've chopped a lot of stuff I don't use):

# Recall we setup with a www-less domain earlier?
# Here we account for that so the certificate will work for domain with www and without
RELOAD_CMD="systemctl restart httpd.service"

4. Generate certiticate

This command with -a causes the getssl script to attempt to renew all certificates (if needed).
The -u tells the script to update itself from the Git repository if appropriate.
$ getssl -u -a

After some output in the console, you should see a .key and a .crt file in /root/.getssl/mydomain/

Now we need to tell our webserver (I use Apache httpd) where to find the cert info.

5. Configure Apache http server to use LetsEncrypt generated SSL certificate

You need to create a ssl.conf file in /etc/httpd/conf.d/
I found an example ssl file in ssl.conf.rpmnew, so I copied that to ssl.conf and edited the lines below:

SSLCertificateKeyFile /root/.getssl/hillsboroughflats.co.uk/mydomain.com.key  
SSLCertificateFile /root/.getssl/hillsboroughflats.co.uk/mydomain.com.crt

6. Crontab auto renew of certificate

Cron is a process on the Amazon linux server that lets us setup scheduled tasks.
Here I add a call to the getssl script to make sure it gets auto renewed as needed by running the script weekly:

Edit cron jobs with
$ crontab -e

Setup the getssl job:
0 1 * * 3 getssl -u -a

7. Update webserver to force www subdomain and ssl

This step is not so much about SSL but SEO impact.
I want to make sure any requests to https://mydomain.com are redirected to https://www.mydomain.com.
I also want to redirect https:// requests to use the SSL certificate at https://

In your DocumentRoot (for me that's /var/www/html/) add or edit the .htaccess file adding as follows:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [R=301,L]


Setting up GetSSL on AWS

AWS documentation around certbot (an alternative to getssl) to configure LetsEncryt

Using htaccess