Renew a Let’s Encrypt SSL/TLS Certificate on an AWS EC2 Instance

This is part of my Introduction to Installing Let’s Encrypt Certificates for WordPress on Amazon Web Services (AWS) tutorial.

In Install a Let’s Encrypt SSL/TLS Certificate on an AWS EC2 Instance, we learned how to install the Lego client to create and manage TLS/SSL certificates provided by Let’s Encrypt. The certificates issued by Let’s Encrypt expire every 90 days, so you will need to renew them before they expire to maintain your website’s HTTPS connection. Let’s Encrypt will send you an email to notify you that your certificate is expiring soon.

It only takes a few minutes on the command line to renew the certificate. Try the below steps to get familiar with the renewal process, but once you do so you can also Automate the Renewal of a Let’s Encrypt SSL/TLS Certificate on an AWS EC2 Instance.

In this example I am renewing a Let’s Encrypt SSL/TLS certificate on a LAMP-stack virtual server (in this case an EC2 instance from Amazon Web Services) over Secure Shell (SSH) using the command line. I am using the macOS Terminal, which is Unix-based, but the commands will be the same regardless of what command-line interface you are using.

Warning

  • When working with SSL/TLS certificates, be very careful. If you are planning on adding, renewing, or removing an SSL/TLS certificate, make sure you create a complete backup of your website before trying anything.
  • If you are working with AWS EC2 instances, always take a snapshot of the instance’s storage volume before you try any of these steps. If anything goes wrong, you can always stop the instance, detach the volume, and attach a new volume created from your snapshot.

Renew an Existing SSL/TLS Certificate from Let’s Encrypt on Your EC2 Instance

  1. Connect to your EC2 instance by following the steps in WordPress on Amazon EC2: Connect to an Instance via SSH.
  2. Type sudo chown -R bitnami:bitnami /etc/lego and press Enter. lego is the directory where the Let’s Encrypt certificates are stored; we need to chown it to bitnami so that we can access it.
  3. Type sudo /opt/bitnami/ctlscript.sh stop apache and press Enter. This will stop the server, which is necessary to update the certificate.
  4. Type sudo /usr/local/bin/lego --email="email@email.com" --domains="www.domain.com" --path="/etc/lego" renew and press Enter.
    • Replace email@email.com with the email address where you want to receive updates about your certificate, including warnings when your certificate is about to expire.
    • Replace www.domain.com with the domain name for the Let’s Encrypt certificate that you are renewing. Include www. as needed.
  5. Type sudo /opt/bitnami/ctlscript.sh start apache and press Enter to restart the instance.
  6. To confirm that the certificate was renewed, we will check it from the Web. Go to the website where you are renewing the SSL certificate. In the address bar of your browser, click the green lock that indicates an HTTPS connection.
  7. What you see will vary based on your browser.
    • Chrome will display a link for Certificate. Click it.
    • Firefox will display an icon of a green lock. Click the right arrow next to it.
  8. The details of the SSL certificate will display.
    • Chrome will show the details of the certificate, including the expiration date. You can also expand the window and twirl down the arrows to see more information about the certificate.
    • In Firefox you will need to click More Information.

      • Firefox will display the Security tab of a Page Info pop-up, which will also include the details of the SSL certificate and its expiration date.
  9. Now that you have confirmed that the certificate was renewed, we’re done. Type sudo chown -R root:root /etc/lego and press Enter to chown the lego directory back to the root user.
  10. Type stat -c %U /etc/lego and press Enter to confirm that your chown command changed the ownership of lego back to root.
  11. When root displays you have confirmed the ownership change, type exit and press Enter to disconnect from the EC2 instance.