Last updated on May 10th, 2024 at 08:48 am

In this guide I will walk you through 6 simple steps of configuring Let’s Encrypt SSL certificate in Apache running on AWS Amazon Linux 2. I am going to use one of my domains named as an example to show you in real world how it looks to configure from scratch.

Table of Contents

Step 1 – Install CertBot

In order to install CertBot, we have to enable EPEL repo in Amazon Linux 2. Lets get started

$sudo amazon-linux-extras install epel

Once EPEL is installed and enabled, just use yum to install CertBot

$sudo yum install certbot

Step 2 – Install Apache Plugin

Once CertBot is installed, the last command you have to run is to install the Apache plugin for CertBot

$sudo yum install python-certbot-apache

List the plugins installed using the certbot command to make sure that you have Apache Web Server plugin displayed

$sudo certbot plugins
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
* apache
Description: Apache Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache._internal.entrypoint:ENTRYPOINT

* standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot._internal.plugins.standalone:Authenticator

* webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot._internal.plugins.webroot:Authenticator

Step 3 – Configure Virtual Host

Before we request for an SSL cert from Lets Encrypt, we need to make sure that Apache configuration has required VirtualHost directives (if not already done)

Since we are using as the test domain, I have created a configuration file under /etc/httpd/conf.d with the name

conf.d]# cat
<VirtualHost *:80>
    DocumentRoot /var/www/html
    ErrorLog /var/www/error.log
    CustomLog /var/www/requests.log combined

As you can see above I have as ServerName and also added ServerAlias as

Step 4 – Request Certificate

Once the configuration looks good, next step is to request SSL certificate via CertBot

# certbot certonly --apache
   Saving debug log to /var/log/letsencrypt/letsencrypt.log
   Plugins selected: Authenticator apache, Installer apache

   Which names would you like to activate HTTPS for?
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   Select the appropriate numbers separated by commas and/or spaces, or leave input
   blank to select all options shown (Enter 'c' to cancel): 1
   Requesting a certificate for
   Performing the following challenges:
   http-01 challenge for
   Waiting for verification...
   Cleaning up challenges

    - Congratulations! Your certificate and chain have been saved at:
      Your key file has been saved at:
      Your certificate will expire on 2023-03-30. To obtain a new or
      tweaked version of this certificate in the future, simply run
      certbot again. To non-interactively renew *all* of your
      certificates, run "certbot renew"
    - If you like Certbot, please consider supporting our work by:

      Donating to ISRG / Let's Encrypt:
      Donating to EFF:          

Since I have two names as ServerName and ServerAlias as it prompted me for installing certificate for both but I selected only since this is an example.

You can also use certbot –apache instead of the command I used above, but this command will automatically try to update the configuration file. This is not a great approach in my opinion. It is always good to know which configurations got updated so that in case if we face any issues it will be easy to revert back to original configuration.

My SSL certificates are located in

Certificate and chain :
Key file:
Certificate expire on 2023-03-30

Step 5 – Update SSL certificate path

Next we have to update the SSL file location along with adding VirtualHost for 443. If you already have the VirtualHost block just update the SSLCertificateFile and SSLCertificateKeyFile directives. It is recommended not to change the path of these certificates as the CertBot daemon keeps tracking of these files.

My configuration for VirtualHost looks like this.

<VirtualHost *:80>
    DocumentRoot /var/www/html
    ErrorLog /var/www/error.log
    CustomLog /var/www/requests.log combined

<VirtualHost *:443>
    DocumentRoot /var/www/html
    ErrorLog /var/www/error.log
    CustomLog /var/www/requests.log combined
    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/
    SSLCertificateKeyFile /etc/letsencrypt/live/

Step 6 – Restart Apache / Test Website

Wow you are all set, we are pending with just restarting/reloading Apache and Testing if everything is working.

$ sudo systemctl restart httpd
$ curl -I
HTTP/1.1 200 OK
Date: Fri, 30 Dec 2022 19:26:56 GMT
Server: Apache/2.4.54 () OpenSSL/1.0.2k-fips
Upgrade: h2,h2c
Connection: Upgrade
Last-Modified: Fri, 30 Dec 2022 19:19:35 GMT
ETag: "f-5f1107b656fb2"
Accept-Ranges: bytes
Content-Length: 15
Content-Type: text/html; charset=UTF-8

As you can see I got a 200 OK response for HTTPS request. That is a good sign. Now let us check the browser and see what it shows

As you can see the certificate details from my browser shows all the information regarding the certificate with the padlock icon, this means we have successfully configured Apache to serve https request.

Some closing notes, since this is AWS make sure that security group assigned to the instance is opened to 443/80.

Make sure that the domain resolve to the IP address of the instance. This means that A record should be pointing to the IP address of the instance otherwise you will see error similar to

   Type:   unauthorized
   Detail: 12.xx.xx.51: Invalid response from

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

If you would like to obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run “certbot renew


Leave a Reply

Your email address will not be published. Required fields are marked *