I keep forgetting how to enable SSL on my websites. I need a basic certificate I've no need for super certificates, I'm not a bank!
So LetsEncrypt, a free SSL certificate service will do the job nicely.

Here I describe how I install LetsEncrypt certificates using the GetSSL script on AWS EC2 instances.
GetSSL is a handy bash script that saves me having to install new repositories or software.

1. Get a terminal on your EC2 instance

I'm using SSH sessions to manage my EC2 instances. I think AWS offers a browser based terminal too but my preference is SSH.

I tend to do all this as root (may not be the best idea).

$ sudo su -

2. Get the GetSSL script onto your AWS EC2 instance

As I run as the root user, my installation of the script(s) and certificates will all end up in /root.
$ curl --silent https://raw.githubusercontent.com/srvrco/getssl/master/getssl > getssl ; chmod 700 getssl

3. Create and customise initial GetSSL config

After step 2 you will have the getssl script on your EC2 instance, now we will use that script to generate default configuration for the domain we're setting up.

You could optionally create a (symbolic) link at this point in /bin so the script is on the PATH and therefore usable without having to provide the full path to the script.
$ cd /bin
$ ln -s /root/getssl getssl


Of course you want to replace mydomain.com with your domain name (without www) in the instructions that follow.

This will create the basic config for "mydomain.com":
$ getssl -c mydomain.com

If you've also run these commands as root, your GetSSL config will live in /root/.getssl
As this is a 'dot' directory you will only see it with 'ls' if you use 'ls -a'.

In /root/.getssl you'll see a getssl.cfg, this is the default configuration. Options in this file will be used unless you override them with settings in the per-domain config files located in /root/.getssl/mydomain.com/getssl.cfg

Now you want to edit the domain specific config: /root/.getssl/mydomain.com/getssl.cfg

A config file for one of my AWS hosted domains setup recently (I've chopped a lot of stuff I don't use):

CA="https://acme-staging-v02.api.letsencrypt.org"
# Recall we setup with a www-less domain earlier?
# Here we account for that so the certificate will work for domain with www and without
SANS="www.mydomain.comk" 
ACL=('/var/www/html/.well-known/acme-challenge')
USE_SINGLE_ACL="true"
RELOAD_CMD="systemctl restart httpd.service"
SERVER_TYPE="https"

4. Generate and install certiticate

The -u tells the script to update itself from the Git repository if appropriate.
$ getssl -u mydomain.com

After some output in the console, you should see a .key and a .crt file in /root/.getssl/mydomain/

Set values in the .getssl/mydomain/getssl.config file, these cause certificates to be copied to specified location:

DOMAIN_CERT_LOCATION="/etc/ssl/certs/mydomain.crt"
DOMAIN_KEY_LOCATION="/etc/ssl/certs/mydomain.key"

CA_CERT_LOCATION="/etc/ssl/chain.crt"

Now we need to tell our webserver (I use Apache httpd) where to find the cert info.

5. Configure Apache http server to use LetsEncrypt generated SSL certificate


Create or edit /etc/httpd/conf.d/mydomain.conf file

<VirtualHost *:443>
    ServerName mydomain.com
    ServerAlias www.mydomain.com
    DocumentRoot /var/www/html

    SSLEngine on

    SSLCertificateFile /etc/ssl/certs/mydomain.com.crt
    SSLCertificateKeyFile /etc/ssl/certs/mydomain.com.key
    SSLCertificateChainFile /etc/ssl/chain.crt

     SSLProtocol All -SSLv2 -SSLv3
     SSLHonorCipherOrder on
     SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
</VirtualHost>

6. Crontab auto renew of certificate

Cron is a process on the Amazon linux server that lets us setup scheduled tasks.
Here I add a call to the getssl script to make sure it gets auto renewed as needed by running the script weekly:

Edit cron jobs with
$ crontab -e

Setup the getssl job:
0 1 * * 3 root getssl -u mydomain.com

7. Update webserver to force www subdomain and ssl

This step is not so much about SSL but SEO impact.
I want to make sure any requests to http://mydomain.com are redirected to http://www.mydomain.com.
I also want to redirect http:// requests to use the SSL certificate at https://

In your DocumentRoot (for me that's /var/www/html/) add or edit the .htaccess file adding as follows:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
 
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [R=301,L]

8. Letsencrypt / getssl with Apple (iPhone) devices

Using the config detailed above I found I was getting errors in iPhone browsers saying my letsencrypt certifiacte was untrusted and the site was effectively blocked on iPhones.
After adding the SSLCertificateChainFile (chain.crt) config into the apache and getssl config files I no longer saw the untrusted message with Apple iPhone browsers.

I'm not sure I understand the detail well enough to explain here other than to say it's to do with providing more info to the browser about who (organisations) trusts the certificate and as Apple trusts that organisation it can now trust my letsencrypt certificate.

References

Setting up GetSSL on AWS
https://millionclues.com/tutorials/lets-encrypt-on-amazon-aws-ec2-with-getssl

AWS documentation around certbot (an alternative to getssl) to configure LetsEncryt
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/SSL-on-amazon-linux-2.html#letsencrypt 

Using htaccess
https://perishablepress.com/stupid-htaccess-tricks/#gen3