Last week I tried to install the Let's Encrypt Client on Amazon Linux 2015.09 (based on RHEL/Centos6 with Apache 2.4.16) following the default instructions. First, I have to install git, clone the repo and when I start letsencrypt, I get the typical error message:

WARNING: Amazon Linux support is very experimental at present... if you would like to work on improving it, please ensure you have backups and then run this script again with the --debug flag!

Ok, let's try the --debug flag. Waaah, what is this? I want to get the help and it's installs a bunch of packages on my server, including an older python version (2.6), and create many files in the root home dir! It is really necessary? I think not. Fortunately, I took the warning seriously and have created a snapshot before this happen.

So, I know the server have the python package 2.7 installed, I assume this come from the awscli from my cloud formation stacks. How can I convince letsencrypt to use it? After a plenty of hours, asking sheik google, reading blogs and faq's I found a really simple solution following a article about the S3/CloudFront plugin for the Let's Encrypt client.


yum -y install gcc libattr-devel libffi-devel openssl-devel dialog pip install letsencrypt

Now, I found the letsencrypt package under /usr/local/lib/python2.7/site-packages/letsencrypt and the script file under /usr/local/bin/letsencrypt, no git needed. To make it system wide available, I added a sysmlink to the /usr/bin/ directory. Easy, hum?

ln -s /usr/local/bin/letsencrypt /usr/bin/letsencrypt

Certficate issuing

I want simple create the certificates without any apache modifications, because I do it by myself testing against Qualys SSL Labs. To do this, be sure you have opened port 80 and 443 in your security group.

service httpd stop && letsencrypt certonly --rsa-key-size 4096 -m --agree-tos -d -d -d && service httpd start

The certificates can be found in the default path under /etc/letsencrypt/live/ which are symlinks to /etc/letsencrypt/archive/

Certficate renewing

The certificates are revoked after 90 days an shold be renewed within this period, so finally I have created a simple cronjob to this for me.

08 2 */60 * * root service httpd stop && letsencrypt --rsa-key-size 4096 -m --agree-tos renew && service httpd start >> /var/log/letsencrypt/renew.log 2>&1