Install a Let’s Encrypt SSL/TLS Certificate on an AWS EC2 Instance

This is part of my Introduction to Installing Let’s Encrypt Certificates for WordPress on Amazon Web Services (AWS) tutorial.

This post will go over the steps needed to use your command-line interface to download and install Lego, a Let’s Encrypt Client written in the Go programming language. Lego will allow you to create and manage SSL/TLS certificates from the Let’s Encrypt Certificate Authority.

In this example I am installing a Let’s Encrypt certificate on a LAMP-stack virtual server (in this case an EC2 instance from Amazon Web Services) over Secure Shell (SSH). After that, I’ll show you how to download a copy of your certificates and account information using an FTP client. I am using the macOS Terminal, which is Unix-based, but the Linux commands will be the same regardless of what command-line interface you are using. I am also using the Cyberduck FTP client, but any FTP client should work.


  • When working with SSL/TLS certificates, be very careful. If you are planning on adding, renewing, or removing an SSL/TLS certificate, make sure you create a complete backup of your website before trying anything.
  • If you are working with AWS EC2 instances, always take a snapshot of the instance’s storage volume before you try any of these steps. If anything goes wrong, you can always stop the instance, detach the volume, and attach a new volume created from your snapshot.

Install an SSL/TLS Certificate from Let’s Encrypt on Your EC2 Instance

  1. Connect to your EC2 instance by following the steps in WordPress on Amazon EC2: Connect to an Instance via SSH.
  2. Type cd /tmp and press Enter. tmp is the temporary directory where you can install the Lego client.
  3. Type curl -s | grep browser_download_url | grep linux_amd64 | cut -d '"' -f 4 | wget -i - and press Enter. curl is a transfer command that will download Lego from github.
  4. Terminal will output a lot of text. Towards the bottom of it, look for Saving to: and the name of the gzip file that the curl command downloaded. In this example, it says Saving to: 'lego_v1.2.1_linux_amd64.tar.gz'. Below that, the file name will appear. Here it is lego_v1.2.1_linux_amd64.tar.gz.
  5. Take the version number from that file name and type tar xf lego_vX.Y.Z_linux_amd64.tar.gz and press Enter, replacing the _vX.Y.Z_ with the version number from the file name. In this example, that’s tar xf lego_v1.2.1_linux_amd64.tar.gz. tar xf will extract the Lego client.
  6. Type sudo mv lego /usr/local/bin/lego and press Enter. The mv command will move Lego into its own directory.
  7. Type sudo /opt/bitnami/ stop and press Enter to stop the “A”, “M,” and “P” parts of your LAMP stack: the Apache server (httpd, or http daemon), MySQL (mysql), and PHP (php-fpm, or the PHP FastCGI Process Manager).
  8. Type sudo /usr/local/bin/lego --email="" --domains="" --path="/etc/lego" run and press Enter. This will run the Lego client to create a certificate on the server.

    • Replace with the email address where you want to receive updates about your certificate, including warnings when your certificate is about to expire.
    • Replace with the domain name for the Let’s Encrypt certificate that you are renewing. Include www. as needed.
  9. After a few lines of output, Terminal will display Do you accept the TOS? Y/n. You are being asked to accept the Let’s Encrypt Terms of Service. To continue, type y and press Enter.
  10. Enter the following commands. You can copy and paste them directly into Terminal to execute them all at once, or you can enter them one by one. These commands are specific to servers using Apache, which my EC2 instance does.
    • sudo mv /opt/bitnami/apache2/conf/server.crt /opt/bitnami/apache2/conf/server.crt.old: This renames the existing server.crt file that already existed on the instance as server.crt.old so that it stops being used. The .crt identifies the certificate itself, which contains the public key for the server.
    • sudo mv /opt/bitnami/apache2/conf/server.key /opt/bitnami/apache2/conf/server.key.old: This renames the existing server.key file that already existed on the instance as server.key.old so that it stops being used. The .key identifies the server’s private key.
    • sudo mv /opt/bitnami/apache2/conf/server.csr /opt/bitnami/apache2/conf/server.csr.old: This renames the existing server.csr file that already existed on the instance as server.csr.old so that it stops being used. The .csr identifies the certificate signing request.
    • sudo ln -s /etc/lego/certificates/ /opt/bitnami/apache2/conf/server.key: This creates a symbolic link (like an alias or shortcut) between the certificate’s private key (.key) that you just created in /etc/lego/certificates/ add the apache2/conf directory and renames it as server.key so that it can start being used for HTTPS purposes.
    • sudo ln -s /etc/lego/certificates/ /opt/bitnami/apache2/conf/server.crt: This creates a symbolic link between the certificate file (.crt) that you just created in /etc/lego/certificates/ to the apache2/conf directory and renames it server.crt so that it can start being used for HTTPS purposes.
    • sudo chown root:root /opt/bitnami/apache2/conf/server*: This command will chown any files with the file name server (in this case server.key and server.crt) to root so that the system’s root user owns them.
    • sudo chmod 600 /opt/bitnami/apache2/conf/server*: Now that root owns the server* files, we are using the chmod command to change it so that only the owner (root) can read or write these files.
  11. If use your FTP client to navigate to the /opt/bitnami/apache2/conf/ directory after executing these commands, you will see both the new server.key and server.crt files, as well as the original files with .old appended as a file extension.
  12. Type sudo /opt/bitnami/ start and press Enter to restart the Apache server, MySQL, and PHP.
  13. Now it is time to see if the certificate installation succeeded and your website is now running over HTTPS. Go to your browser of choice.
  14. The first time you visit the site after installing your SSL certificate, you will need to type https:// before the domain name so that the browser tries to connect using HTTPS. Press Enter to go to your website over HTTPS.
  15. Your website should load as usual, and your browser’s address bar should display the icon it uses to identify an HTTPS connection (usually a green lock icon). To see information about the certificate, click the green lock or the information icon (i) to the left of the URL in the address bar.
  16. What you see will vary based on your browser.
    • Chrome will display a link for Certificate. Click it.
    • Firefox will display an icon of a green lock. Click the right arrow next to it.
  17. The details of the SSL certificate will display.
    • Chrome will show the details of the certificate, including the expiration date. You can also expand the window and twirl down the arrows to see more information about the certificate.
    • In Firefox you will need to click More Information.

      • Firefox will display the Security tab of a Page Info pop-up, including the some details about the certificate and its expiration date. Click View Certificate to see more information about the TLS/SSL certificate.
      • The Certificate Viewer pop-up will display the complete information about your new SSL/TLS certificate.

Downloading a Copy of Your Certificate Information from the Server

While installing your Let’s Encrypt certificate, you may have noticed these directions display in Terminal:
Your account credentials have been saved in your Let's Encrypt configuration directory at "/etc/lego/accounts/". You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained from Let's Encrypt so making regular backups of this folder is ideal.

To grab a copy of the Let’s Encrypt certificates off of your EC2 Instance, we’ll need to connect to the instance using our FTP client, find the certificates, and then download them.

  1. Connect to your EC2 instance by following the steps in WordPress on Amazon EC2: Connect to an Instance via FTP and navigate to the top of the directory structure for your instance (/).
  2. Find the lego directory at /etc/lego.
  3. If you try to open lego, you will get a Permission denied pop-up. This is the same issue that I explained in WordPress on Amazon EC2: Permission Denied Error Message and the solution is very similar.
  4. Open Terminal and connect to your EC2 instance by following the steps in WordPress on Amazon EC2: Connect to an Instance via SSH.
  5. Type sudo chown -R bitnami:bitnami /etc/lego and press Enter to chown the directory permissions for lego to bitnami.
  6. Go back to your FTP client and try to access /etc/lego again. This time it should open and you should see two directories: certficates and accounts. Click the arrows next to the folder icons to twirl down the directories.
  7. You can see that the certificates directory contains the certificates and keys, identified by the domain name, while the accounts directory has information about the account, identified by the email address. You can select these directories and drag them to a location on your computer to save a copy as suggested by the on-screen prompt.
  8. Type sudo chown -R root:root /etc/lego and press Enter to chown the lego directory back to the root user.
  9. Type stat -c %U /etc/lego and press Enter to confirm that your chown command changed ownership back to root.
  10. When root displays you have confirmed the ownership change, type exit and press Enter to disconnect from the EC2 instance.