{"id":26208,"date":"2016-06-27T09:23:18","date_gmt":"2016-06-27T07:23:18","guid":{"rendered":"https:\/\/mamchenkov.net\/wordpress\/?p=26208"},"modified":"2019-02-25T12:06:12","modified_gmt":"2019-02-25T10:06:12","slug":"lets-encrypt-on-centos-7-and-amazon-ami","status":"publish","type":"post","link":"https:\/\/mamchenkov.net\/wordpress\/2016\/06\/27\/lets-encrypt-on-centos-7-and-amazon-ami\/","title":{"rendered":"Let&#8217;s Encrypt on CentOS 7 and Amazon AMI"},"content":{"rendered":"<!-- google_ad_section_start -->\n<p>The last few weeks were super busy at work, so I accidentally let a few SSL certificates expire. &nbsp;Renewing them is always annoying and time consuming, so I was pushing it until the last minute, and then some.<\/p>\n<p>Instead of going the usual way for the renewal, I decided to try to the <a href=\"https:\/\/letsencrypt.org\/\">Let&#8217;s Encrypt<\/a> deal. &nbsp;(I&#8217;ve covered Let&#8217;s Encrypt before <a href=\"https:\/\/mamchenkov.net\/wordpress\/2014\/11\/21\/launching-in-2015-a-certificate-authority-to-encrypt-the-entire-web\/\">here<\/a> and <a href=\"https:\/\/mamchenkov.net\/wordpress\/2016\/04\/18\/lets-encrypt-is-not-in-beta-anymore\/\">here<\/a>.) &nbsp;Basically, Let&#8217;s Encrypt is a new Certification Authority, created by <a href=\"https:\/\/www.eff.org\/\">Electronic Frontier Foundation<\/a> (EFF), with the backing of Google, Cisco, Mozilla Foundation, and the like. &nbsp;This new CA is issuing well recognized SSL certificates, for free. &nbsp;Which is good. &nbsp;But the best part is that they&#8217;ve setup the process to be as automated as possible. &nbsp;All you need is to run a shell command to get the certificate and then another shell command in the crontab to renew the certificate automatically. &nbsp;Certificates are only issued for 3 months, so you&#8217;d really want to have them automatically updated.<\/p>\n<p>It took me longer than I expected to figure out how this whole thing works, but that&#8217;s because I&#8217;m not well versed in SSL, and because they have so many different options, suited for different web servers, and different sysadmin experience levels.<\/p>\n<p>Eventually I made it work, and here is the complete process, so that I don&#8217;t have to figure it out again later.<\/p>\n<p>We are running a mix of CentOS 7 and Amazon AMI servers, using both Nginx and Apache. &nbsp; Here&#8217;s what I had to do.<\/p>\n<p>First things first. &nbsp;Install the Let&#8217;s Encrypt client software. &nbsp;Supposedly there are <a href=\"https:\/\/letsencrypt.org\/getting-started\/\">several options<\/a>, but I went for the official one. &nbsp;Manual way:<\/p>\n<pre class=\"brush: bash; light: true; title: ; notranslate\" title=\"\">\n# Install requirements\nyum install git bc\ncd \/opt\ngit clone https:\/\/github.com\/certbot\/certbot letsencrypt\n<\/pre>\n<p>Alternatively, you can use <a href=\"https:\/\/github.com\/geerlingguy\/ansible-role-letsencrypt\">geerlingguy&#8217;s lets-encrypt-role<\/a> for Ansible.<\/p>\n<p>Secondly, we need to get a new certificate. &nbsp;As I said before, there are multiple options here. &nbsp;I decided to use the <em>certonly<\/em> way, so that I have better control over where things go, and so that I would minimize the web server downtime.<\/p>\n<p>There are a few things that you need to specify for the new SSL certificate. &nbsp;These are:<\/p>\n<ul>\n<li>The list of domains, which the certificate should cover. &nbsp;I&#8217;ll use <em>example.com<\/em> and <em>www.example.com<\/em> here.<\/li>\n<li>The path to the web folder of the site. &nbsp;I&#8217;ll use <em>\/var\/www\/vhosts\/example.com\/<\/em><\/li>\n<li>The email address, which Let&#8217;s Encrypt will use to contact you in case there is something urgent. &nbsp;I&#8217;ll use <em>ssl@example.com<\/em> here.<\/li>\n<\/ul>\n<p>Now, the command to get the SSL certificate is:<\/p>\n<pre class=\"brush: bash; light: true; title: ; notranslate\" title=\"\">\n\/opt\/letsencrypt\/certbot-auto certonly --webroot --email ssl@example.com --agree-tos -w \/var\/www\/vhosts\/example.com\/ -d example.com -d www.example.com\n<\/pre>\n<p>When you run this for the first time, you&#8217;ll see that a bunch of additional RPM packages will be installed, for the virtual environment to be created and used. &nbsp;On CentOS 7 this is sufficient. &nbsp;On Amazon AMI, the command will run, install things, and will fail with something like this:<\/p>\n<pre class=\"brush: plain; light: true; title: ; notranslate\" title=\"\">\nWARNING: Amazon Linux support is very experimental at present...\nif you would like to work on improving it, please ensure you have backups\nand then run this script again with the --debug flag!\n<\/pre>\n<p>This is useful, but insufficient. &nbsp;Before you can run successfully, you&#8217;ll also need to do the following:<\/p>\n<pre class=\"brush: bash; light: true; title: ; notranslate\" title=\"\">\nyum install python26-virtualenv\n<\/pre>\n<p>Once that is done, run the certbot command with the <em>&#8211;debug<\/em> parameter, like so:<\/p>\n<pre class=\"brush: bash; light: true; title: ; notranslate\" title=\"\">\n\/opt\/letsencrypt\/certbot-auto certonly --webroot --email ssl@example.com --agree-tos -w \/var\/www\/vhosts\/example.com\/ -d example.com -d www.example.com --debug\n<\/pre>\n<p>This should produce a success message, with &#8220;Congratulations!&#8221; and all that. &nbsp;The path to your certificate (somewhere in <em>\/etc\/letsencrypt\/live\/example.com\/<\/em>) and its expiration date will be mentioned too.<\/p>\n<p>If you didn&#8217;t get the success message, make sure that:<\/p>\n<ul>\n<li>the domain, for which you are requesting a certificate, resolves back to the server, where you are running the certbot command. &nbsp;Let&#8217;s Encrypt will try to access the site for verification purposes.<\/li>\n<li>that public access is allowed to the <em>\/.well-known\/<\/em> folder. &nbsp;This is where Let&#8217;s Encrypt will store temporary verification files. &nbsp;Note that the folder starts with dot, which in UNIX means hidden folder, which are often denied access to by many web server configurations.<\/li>\n<\/ul>\n<p>Just drop a simple <em>hello.txt<\/em> to the <em>\/.well-known\/<\/em> folder and see if you can access it with the browser. &nbsp;If you can, then Let&#8217;s Encrypt shouldn&#8217;t have any issues getting you a certification. &nbsp;If all else fails, RTFM.<\/p>\n<p>Now that you have the certificate generated, you&#8217;ll need to add it to the web server&#8217;s virtual host configuration. &nbsp;How exactly to do this varies from web server to web server, and even between the different versions of the same web server.<\/p>\n<p>For Apache version &gt;= 2.4.8 you&#8217;ll need to do the following:<\/p>\n<pre class=\"brush: plain; light: true; title: ; notranslate\" title=\"\">\nSSLEngine on\nSSLCertificateKeyFile \/etc\/letsencrypt\/live\/example.com\/privkey.pem\nSSLCertificateFile \/etc\/letsencrypt\/live\/example.com\/fullchain.pem\n<\/pre>\n<p>For Apache version &lt; 2.4.8 you&#8217;ll need to do the following:<\/p>\n<pre class=\"brush: plain; light: true; title: ; notranslate\" title=\"\">\nSSLEngine on\nSSLCertificateKeyFile \/etc\/letsencrypt\/live\/example.com\/privkey.pem\nSSLCertificateFile \/etc\/letsencrypt\/live\/example.com\/cert.pem\nSSLCertificateChainFile \/etc\/letsencrypt\/live\/example.com\/chain.pem\n<\/pre>\n<p>For Nginx &gt;= 1.3.7 you&#8217;ll need to do the following:<\/p>\n<pre class=\"brush: plain; light: true; title: ; notranslate\" title=\"\">\nssl_certificate \/etc\/letsencrypt\/live\/example.com\/fullchain.pem;\nssl_certificate_key \/etc\/letsencrypt\/live\/example.com\/privkey.pem;\n<\/pre>\n<p>You&#8217;ll obviously need the additional SSL configuration options for protocols, ciphers and the like, which I won&#8217;t go into here, but here are a few useful links:<\/p>\n<ul>\n<li><a href=\"https:\/\/community.letsencrypt.org\/t\/apache-configuration-example\/2338\">Apache Configuration Example<\/a><\/li>\n<li><a href=\"https:\/\/www.digitalocean.com\/community\/tutorials\/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04\">How To Secure Nginx with Let&#8217;s Encrypt on Ubuntu 14.04<\/a><\/li>\n<li><a href=\"http:\/\/letsencrypt.readthedocs.io\/en\/latest\/using.html\">Certbot User Guide<\/a><\/li>\n<li><a href=\"https:\/\/community.letsencrypt.org\/t\/using-the-webroot-domain-verification-method\/1445\">Using the webroot domain verification method<\/a><\/li>\n<li><a href=\"https:\/\/weakdh.org\/sysadmin.html\">Guide to Deploying Diffie-Hellman for TLS<\/a><\/li>\n<\/ul>\n<p>Once your SSL certificate is issued and web server is configured to use it, all you need is to add an entry to the crontab to renew the certificates which are expiring in 30 days or less. &nbsp;You&#8217;ll only need a single entry for all your certificates on this machine. &nbsp;Edit your <em>\/etc\/crontab<\/em> file and add the following (adjust for your web server software, obviously):<\/p>\n<pre class=\"brush: plain; light: true; title: ; notranslate\" title=\"\">\n# Renew Let's Encrypt certificates at 6pm every Sunday\n0 18 * * 0 root (\/opt\/letsencrypt\/certbot-auto renew &amp;amp;&amp;amp; service httpd restart)\n<\/pre>\n<p>That&#8217;s about it. &nbsp;Once all is up and running, verify and adjust your SSL configuration, using <a href=\"https:\/\/www.ssllabs.com\/ssltest\/\">Qualys SSL<\/a> Labs excellent tool.<\/p>\n<!-- google_ad_section_end -->\n","protected":false},"excerpt":{"rendered":"<!-- google_ad_section_start -->\n<p>The last few weeks were super busy at work, so I accidentally let a few SSL certificates expire. &nbsp;Renewing them is always annoying and time consuming, so I was pushing it until the last minute, and then some. Instead of going the usual way for the renewal, I decided to try to the Let&#8217;s Encrypt &hellip; <a href=\"https:\/\/mamchenkov.net\/wordpress\/2016\/06\/27\/lets-encrypt-on-centos-7-and-amazon-ami\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">Let&#8217;s Encrypt on CentOS 7 and Amazon AMI<\/span><\/a><\/p>\n<!-- google_ad_section_end -->\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":true,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"Let's Encrypt on CentOS 7 and Amazon AMI #SysAdmin #DevOps #LetsEncrypt #SSL #WebDev #security #privacy","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false,"_links_to":"","_links_to_target":""},"categories":[1,6,133,62,1334],"tags":[3270,3476,3085,3246,2366,3427,3164,384,200,3413,1330,2289],"keyring_services":[],"class_list":["post-26208","post","type-post","status-publish","format-standard","hentry","category-general","category-linux","category-sysadmin","category-technology","category-web-work","tag-amazon-aws","tag-amazon-linux-ami","tag-apache","tag-centos-linux","tag-cloud-computing","tag-lets-encrypt","tag-nginx","tag-privacy","tag-security","tag-ssl","tag-web-development","tag-web-hosting"],"aioseo_notices":[],"aioseo_head":"\n\t\t<!-- All in One SEO 4.9.10 - aioseo.com -->\n\t<meta name=\"description\" content=\"The last few weeks were super busy at work, so I accidentally let a few SSL certificates expire. Renewing them is always annoying and time consuming, so I was pushing it until the last minute, and then some. Instead of going the usual way for the renewal, I decided to try to the Let&#039;s Encrypt\" \/>\n\t<meta name=\"robots\" content=\"max-image-preview:large\" \/>\n\t<meta name=\"author\" content=\"Leonid Mamchenkov\"\/>\n\t<meta name=\"google-site-verification\" content=\"VHvdD0_usx1_4DzKy_QCVcICVgX2EgA2ybELT-wl7kQ\" \/>\n\t<link rel=\"canonical\" href=\"https:\/\/mamchenkov.net\/wordpress\/2016\/06\/27\/lets-encrypt-on-centos-7-and-amazon-ami\/\" \/>\n\t<meta name=\"generator\" content=\"All in One SEO (AIOSEO) 4.9.10\" \/>\n\t\t<meta property=\"og:locale\" content=\"en_US\" \/>\n\t\t<meta property=\"og:site_name\" content=\"Leonid Mamchenkov - Life, universe, and everything else\" \/>\n\t\t<meta property=\"og:type\" content=\"article\" \/>\n\t\t<meta property=\"og:title\" content=\"Let\u2019s Encrypt on CentOS 7 and Amazon AMI - Leonid Mamchenkov\" \/>\n\t\t<meta property=\"og:description\" content=\"The last few weeks were super busy at work, so I accidentally let a few SSL certificates expire. Renewing them is always annoying and time consuming, so I was pushing it until the last minute, and then some. Instead of going the usual way for the renewal, I decided to try to the Let&#039;s Encrypt\" \/>\n\t\t<meta property=\"og:url\" content=\"https:\/\/mamchenkov.net\/wordpress\/2016\/06\/27\/lets-encrypt-on-centos-7-and-amazon-ami\/\" \/>\n\t\t<meta property=\"og:image\" content=\"https:\/\/mamchenkov.net\/wordpress\/wp-content\/uploads\/2026\/03\/leonid-sailing-beer.jpg\" \/>\n\t\t<meta property=\"og:image:secure_url\" content=\"https:\/\/mamchenkov.net\/wordpress\/wp-content\/uploads\/2026\/03\/leonid-sailing-beer.jpg\" \/>\n\t\t<meta property=\"og:image:width\" content=\"1024\" \/>\n\t\t<meta property=\"og:image:height\" content=\"1024\" \/>\n\t\t<meta property=\"article:published_time\" content=\"2016-06-27T07:23:18+00:00\" \/>\n\t\t<meta property=\"article:modified_time\" content=\"2019-02-25T10:06:12+00:00\" \/>\n\t\t<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/MamchenkovBlog\" \/>\n\t\t<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n\t\t<meta name=\"twitter:site\" content=\"@mamchenkov\" \/>\n\t\t<meta name=\"twitter:title\" content=\"Let\u2019s Encrypt on CentOS 7 and Amazon AMI - Leonid Mamchenkov\" \/>\n\t\t<meta name=\"twitter:description\" content=\"The last few weeks were super busy at work, so I accidentally let a few SSL certificates expire. Renewing them is always annoying and time consuming, so I was pushing it until the last minute, and then some. Instead of going the usual way for the renewal, I decided to try to the Let&#039;s Encrypt\" \/>\n\t\t<meta name=\"twitter:creator\" content=\"@mamchenkov\" \/>\n\t\t<meta name=\"twitter:image\" content=\"https:\/\/mamchenkov.net\/wordpress\/wp-content\/uploads\/2026\/03\/leonid-sailing-beer.jpg\" \/>\n\t\t<script type=\"application\/ld+json\" class=\"aioseo-schema\">\n\t\t\t{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"BlogPosting\",\"@id\":\"https:\\\/\\\/mamchenkov.net\\\/wordpress\\\/2016\\\/06\\\/27\\\/lets-encrypt-on-centos-7-and-amazon-ami\\\/#blogposting\",\"name\":\"Let\\u2019s Encrypt on CentOS 7 and Amazon AMI - Leonid Mamchenkov\",\"headline\":\"Let&#8217;s Encrypt on CentOS 7 and Amazon AMI\",\"author\":{\"@id\":\"https:\\\/\\\/mamchenkov.net\\\/wordpress\\\/author\\\/leonid\\\/#author\"},\"publisher\":{\"@id\":\"https:\\\/\\\/mamchenkov.net\\\/wordpress\\\/#person\"},\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\\\/\\\/mamchenkov.net\\\/wordpress\\\/2016\\\/06\\\/27\\\/lets-encrypt-on-centos-7-and-amazon-ami\\\/#articleImage\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3cf6df002a284d78fb6e9d8222ca4d102e0832035ed6bc8447008bd234e131a4?s=96&d=identicon&r=g\",\"width\":96,\"height\":96,\"caption\":\"Leonid Mamchenkov\"},\"datePublished\":\"2016-06-27T09:23:18+02:00\",\"dateModified\":\"2019-02-25T12:06:12+02:00\",\"inLanguage\":\"en-US\",\"commentCount\":3,\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/mamchenkov.net\\\/wordpress\\\/2016\\\/06\\\/27\\\/lets-encrypt-on-centos-7-and-amazon-ami\\\/#webpage\"},\"isPartOf\":{\"@id\":\"https:\\\/\\\/mamchenkov.net\\\/wordpress\\\/2016\\\/06\\\/27\\\/lets-encrypt-on-centos-7-and-amazon-ami\\\/#webpage\"},\"articleSection\":\"All, Linux, Sysadmin, Technology, Web work, Amazon AWS, Amazon Linux AMI, Apache, CentOS Linux, cloud computing, Let's Encrypt, Nginx, privacy, security, SSL, web development, web hosting\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/mamchenkov.net\\\/wordpress\\\/2016\\\/06\\\/27\\\/lets-encrypt-on-centos-7-and-amazon-ami\\\/#breadcrumblist\",\"itemListElement\":[{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/mamchenkov.net\\\/wordpress#listItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/mamchenkov.net\\\/wordpress\",\"nextItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/mamchenkov.net\\\/wordpress\\\/category\\\/technology\\\/#listItem\",\"name\":\"Technology\"}},{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/mamchenkov.net\\\/wordpress\\\/category\\\/technology\\\/#listItem\",\"position\":2,\"name\":\"Technology\",\"item\":\"https:\\\/\\\/mamchenkov.net\\\/wordpress\\\/category\\\/technology\\\/\",\"nextItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/mamchenkov.net\\\/wordpress\\\/category\\\/technology\\\/linux\\\/#listItem\",\"name\":\"Linux\"},\"previousItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/mamchenkov.net\\\/wordpress#listItem\",\"name\":\"Home\"}},{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/mamchenkov.net\\\/wordpress\\\/category\\\/technology\\\/linux\\\/#listItem\",\"position\":3,\"name\":\"Linux\",\"item\":\"https:\\\/\\\/mamchenkov.net\\\/wordpress\\\/category\\\/technology\\\/linux\\\/\",\"nextItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/mamchenkov.net\\\/wordpress\\\/2016\\\/06\\\/27\\\/lets-encrypt-on-centos-7-and-amazon-ami\\\/#listItem\",\"name\":\"Let&#8217;s Encrypt on CentOS 7 and Amazon AMI\"},\"previousItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/mamchenkov.net\\\/wordpress\\\/category\\\/technology\\\/#listItem\",\"name\":\"Technology\"}},{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/mamchenkov.net\\\/wordpress\\\/2016\\\/06\\\/27\\\/lets-encrypt-on-centos-7-and-amazon-ami\\\/#listItem\",\"position\":4,\"name\":\"Let&#8217;s Encrypt on CentOS 7 and Amazon AMI\",\"previousItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/mamchenkov.net\\\/wordpress\\\/category\\\/technology\\\/linux\\\/#listItem\",\"name\":\"Linux\"}}]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/mamchenkov.net\\\/wordpress\\\/#person\",\"name\":\"Leonid Mamchenkov\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\\\/\\\/mamchenkov.net\\\/wordpress\\\/2016\\\/06\\\/27\\\/lets-encrypt-on-centos-7-and-amazon-ami\\\/#personImage\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3cf6df002a284d78fb6e9d8222ca4d102e0832035ed6bc8447008bd234e131a4?s=96&d=identicon&r=g\",\"width\":96,\"height\":96,\"caption\":\"Leonid Mamchenkov\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/mamchenkov.net\\\/wordpress\\\/author\\\/leonid\\\/#author\",\"url\":\"https:\\\/\\\/mamchenkov.net\\\/wordpress\\\/author\\\/leonid\\\/\",\"name\":\"Leonid Mamchenkov\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\\\/\\\/mamchenkov.net\\\/wordpress\\\/2016\\\/06\\\/27\\\/lets-encrypt-on-centos-7-and-amazon-ami\\\/#authorImage\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3cf6df002a284d78fb6e9d8222ca4d102e0832035ed6bc8447008bd234e131a4?s=96&d=identicon&r=g\",\"width\":96,\"height\":96,\"caption\":\"Leonid Mamchenkov\"}},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/mamchenkov.net\\\/wordpress\\\/2016\\\/06\\\/27\\\/lets-encrypt-on-centos-7-and-amazon-ami\\\/#webpage\",\"url\":\"https:\\\/\\\/mamchenkov.net\\\/wordpress\\\/2016\\\/06\\\/27\\\/lets-encrypt-on-centos-7-and-amazon-ami\\\/\",\"name\":\"Let\\u2019s Encrypt on CentOS 7 and Amazon AMI - Leonid Mamchenkov\",\"description\":\"The last few weeks were super busy at work, so I accidentally let a few SSL certificates expire. Renewing them is always annoying and time consuming, so I was pushing it until the last minute, and then some. Instead of going the usual way for the renewal, I decided to try to the Let's Encrypt\",\"inLanguage\":\"en-US\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/mamchenkov.net\\\/wordpress\\\/#website\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/mamchenkov.net\\\/wordpress\\\/2016\\\/06\\\/27\\\/lets-encrypt-on-centos-7-and-amazon-ami\\\/#breadcrumblist\"},\"author\":{\"@id\":\"https:\\\/\\\/mamchenkov.net\\\/wordpress\\\/author\\\/leonid\\\/#author\"},\"creator\":{\"@id\":\"https:\\\/\\\/mamchenkov.net\\\/wordpress\\\/author\\\/leonid\\\/#author\"},\"datePublished\":\"2016-06-27T09:23:18+02:00\",\"dateModified\":\"2019-02-25T12:06:12+02:00\"},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/mamchenkov.net\\\/wordpress\\\/#website\",\"url\":\"https:\\\/\\\/mamchenkov.net\\\/wordpress\\\/\",\"name\":\"Blog of Leonid Mamchenkov\",\"description\":\"Life, universe, and everything else\",\"inLanguage\":\"en-US\",\"publisher\":{\"@id\":\"https:\\\/\\\/mamchenkov.net\\\/wordpress\\\/#person\"}}]}\n\t\t<\/script>\n\t\t<!-- All in One SEO -->\n\n","aioseo_head_json":{"title":"Let\u2019s Encrypt on CentOS 7 and Amazon AMI - Leonid Mamchenkov","description":"The last few weeks were super busy at work, so I accidentally let a few SSL certificates expire. Renewing them is always annoying and time consuming, so I was pushing it until the last minute, and then some. Instead of going the usual way for the renewal, I decided to try to the Let's Encrypt","canonical_url":"https:\/\/mamchenkov.net\/wordpress\/2016\/06\/27\/lets-encrypt-on-centos-7-and-amazon-ami\/","robots":"max-image-preview:large","keywords":"","webmasterTools":{"google-site-verification":"VHvdD0_usx1_4DzKy_QCVcICVgX2EgA2ybELT-wl7kQ","miscellaneous":""},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"BlogPosting","@id":"https:\/\/mamchenkov.net\/wordpress\/2016\/06\/27\/lets-encrypt-on-centos-7-and-amazon-ami\/#blogposting","name":"Let\u2019s Encrypt on CentOS 7 and Amazon AMI - Leonid Mamchenkov","headline":"Let&#8217;s Encrypt on CentOS 7 and Amazon AMI","author":{"@id":"https:\/\/mamchenkov.net\/wordpress\/author\/leonid\/#author"},"publisher":{"@id":"https:\/\/mamchenkov.net\/wordpress\/#person"},"image":{"@type":"ImageObject","@id":"https:\/\/mamchenkov.net\/wordpress\/2016\/06\/27\/lets-encrypt-on-centos-7-and-amazon-ami\/#articleImage","url":"https:\/\/secure.gravatar.com\/avatar\/3cf6df002a284d78fb6e9d8222ca4d102e0832035ed6bc8447008bd234e131a4?s=96&d=identicon&r=g","width":96,"height":96,"caption":"Leonid Mamchenkov"},"datePublished":"2016-06-27T09:23:18+02:00","dateModified":"2019-02-25T12:06:12+02:00","inLanguage":"en-US","commentCount":3,"mainEntityOfPage":{"@id":"https:\/\/mamchenkov.net\/wordpress\/2016\/06\/27\/lets-encrypt-on-centos-7-and-amazon-ami\/#webpage"},"isPartOf":{"@id":"https:\/\/mamchenkov.net\/wordpress\/2016\/06\/27\/lets-encrypt-on-centos-7-and-amazon-ami\/#webpage"},"articleSection":"All, Linux, Sysadmin, Technology, Web work, Amazon AWS, Amazon Linux AMI, Apache, CentOS Linux, cloud computing, Let's Encrypt, Nginx, privacy, security, SSL, web development, web hosting"},{"@type":"BreadcrumbList","@id":"https:\/\/mamchenkov.net\/wordpress\/2016\/06\/27\/lets-encrypt-on-centos-7-and-amazon-ami\/#breadcrumblist","itemListElement":[{"@type":"ListItem","@id":"https:\/\/mamchenkov.net\/wordpress#listItem","position":1,"name":"Home","item":"https:\/\/mamchenkov.net\/wordpress","nextItem":{"@type":"ListItem","@id":"https:\/\/mamchenkov.net\/wordpress\/category\/technology\/#listItem","name":"Technology"}},{"@type":"ListItem","@id":"https:\/\/mamchenkov.net\/wordpress\/category\/technology\/#listItem","position":2,"name":"Technology","item":"https:\/\/mamchenkov.net\/wordpress\/category\/technology\/","nextItem":{"@type":"ListItem","@id":"https:\/\/mamchenkov.net\/wordpress\/category\/technology\/linux\/#listItem","name":"Linux"},"previousItem":{"@type":"ListItem","@id":"https:\/\/mamchenkov.net\/wordpress#listItem","name":"Home"}},{"@type":"ListItem","@id":"https:\/\/mamchenkov.net\/wordpress\/category\/technology\/linux\/#listItem","position":3,"name":"Linux","item":"https:\/\/mamchenkov.net\/wordpress\/category\/technology\/linux\/","nextItem":{"@type":"ListItem","@id":"https:\/\/mamchenkov.net\/wordpress\/2016\/06\/27\/lets-encrypt-on-centos-7-and-amazon-ami\/#listItem","name":"Let&#8217;s Encrypt on CentOS 7 and Amazon AMI"},"previousItem":{"@type":"ListItem","@id":"https:\/\/mamchenkov.net\/wordpress\/category\/technology\/#listItem","name":"Technology"}},{"@type":"ListItem","@id":"https:\/\/mamchenkov.net\/wordpress\/2016\/06\/27\/lets-encrypt-on-centos-7-and-amazon-ami\/#listItem","position":4,"name":"Let&#8217;s Encrypt on CentOS 7 and Amazon AMI","previousItem":{"@type":"ListItem","@id":"https:\/\/mamchenkov.net\/wordpress\/category\/technology\/linux\/#listItem","name":"Linux"}}]},{"@type":"Person","@id":"https:\/\/mamchenkov.net\/wordpress\/#person","name":"Leonid Mamchenkov","image":{"@type":"ImageObject","@id":"https:\/\/mamchenkov.net\/wordpress\/2016\/06\/27\/lets-encrypt-on-centos-7-and-amazon-ami\/#personImage","url":"https:\/\/secure.gravatar.com\/avatar\/3cf6df002a284d78fb6e9d8222ca4d102e0832035ed6bc8447008bd234e131a4?s=96&d=identicon&r=g","width":96,"height":96,"caption":"Leonid Mamchenkov"}},{"@type":"Person","@id":"https:\/\/mamchenkov.net\/wordpress\/author\/leonid\/#author","url":"https:\/\/mamchenkov.net\/wordpress\/author\/leonid\/","name":"Leonid Mamchenkov","image":{"@type":"ImageObject","@id":"https:\/\/mamchenkov.net\/wordpress\/2016\/06\/27\/lets-encrypt-on-centos-7-and-amazon-ami\/#authorImage","url":"https:\/\/secure.gravatar.com\/avatar\/3cf6df002a284d78fb6e9d8222ca4d102e0832035ed6bc8447008bd234e131a4?s=96&d=identicon&r=g","width":96,"height":96,"caption":"Leonid Mamchenkov"}},{"@type":"WebPage","@id":"https:\/\/mamchenkov.net\/wordpress\/2016\/06\/27\/lets-encrypt-on-centos-7-and-amazon-ami\/#webpage","url":"https:\/\/mamchenkov.net\/wordpress\/2016\/06\/27\/lets-encrypt-on-centos-7-and-amazon-ami\/","name":"Let\u2019s Encrypt on CentOS 7 and Amazon AMI - Leonid Mamchenkov","description":"The last few weeks were super busy at work, so I accidentally let a few SSL certificates expire. Renewing them is always annoying and time consuming, so I was pushing it until the last minute, and then some. Instead of going the usual way for the renewal, I decided to try to the Let's Encrypt","inLanguage":"en-US","isPartOf":{"@id":"https:\/\/mamchenkov.net\/wordpress\/#website"},"breadcrumb":{"@id":"https:\/\/mamchenkov.net\/wordpress\/2016\/06\/27\/lets-encrypt-on-centos-7-and-amazon-ami\/#breadcrumblist"},"author":{"@id":"https:\/\/mamchenkov.net\/wordpress\/author\/leonid\/#author"},"creator":{"@id":"https:\/\/mamchenkov.net\/wordpress\/author\/leonid\/#author"},"datePublished":"2016-06-27T09:23:18+02:00","dateModified":"2019-02-25T12:06:12+02:00"},{"@type":"WebSite","@id":"https:\/\/mamchenkov.net\/wordpress\/#website","url":"https:\/\/mamchenkov.net\/wordpress\/","name":"Blog of Leonid Mamchenkov","description":"Life, universe, and everything else","inLanguage":"en-US","publisher":{"@id":"https:\/\/mamchenkov.net\/wordpress\/#person"}}]},"og:locale":"en_US","og:site_name":"Leonid Mamchenkov - Life, universe, and everything else","og:type":"article","og:title":"Let\u2019s Encrypt on CentOS 7 and Amazon AMI - Leonid Mamchenkov","og:description":"The last few weeks were super busy at work, so I accidentally let a few SSL certificates expire. Renewing them is always annoying and time consuming, so I was pushing it until the last minute, and then some. Instead of going the usual way for the renewal, I decided to try to the Let's Encrypt","og:url":"https:\/\/mamchenkov.net\/wordpress\/2016\/06\/27\/lets-encrypt-on-centos-7-and-amazon-ami\/","og:image":"https:\/\/mamchenkov.net\/wordpress\/wp-content\/uploads\/2026\/03\/leonid-sailing-beer.jpg","og:image:secure_url":"https:\/\/mamchenkov.net\/wordpress\/wp-content\/uploads\/2026\/03\/leonid-sailing-beer.jpg","og:image:width":1024,"og:image:height":1024,"article:published_time":"2016-06-27T07:23:18+00:00","article:modified_time":"2019-02-25T10:06:12+00:00","article:publisher":"https:\/\/www.facebook.com\/MamchenkovBlog","twitter:card":"summary_large_image","twitter:site":"@mamchenkov","twitter:title":"Let\u2019s Encrypt on CentOS 7 and Amazon AMI - Leonid Mamchenkov","twitter:description":"The last few weeks were super busy at work, so I accidentally let a few SSL certificates expire. Renewing them is always annoying and time consuming, so I was pushing it until the last minute, and then some. Instead of going the usual way for the renewal, I decided to try to the Let's Encrypt","twitter:creator":"@mamchenkov","twitter:image":"https:\/\/mamchenkov.net\/wordpress\/wp-content\/uploads\/2026\/03\/leonid-sailing-beer.jpg"},"aioseo_meta_data":{"post_id":"26208","title":null,"description":null,"keywords":null,"keyphrases":null,"primary_term":null,"canonical_url":null,"og_title":null,"og_description":null,"og_object_type":"default","og_image_type":"default","og_image_url":null,"og_image_width":null,"og_image_height":null,"og_image_custom_url":null,"og_image_custom_fields":null,"og_video":null,"og_custom_url":null,"og_article_section":null,"og_article_tags":null,"twitter_use_og":false,"twitter_card":"default","twitter_image_type":"default","twitter_image_url":null,"twitter_image_custom_url":null,"twitter_image_custom_fields":null,"twitter_title":null,"twitter_description":null,"schema":{"blockGraphs":[],"customGraphs":[],"default":{"data":{"Article":[],"Course":[],"Dataset":[],"FAQPage":[],"Movie":[],"Person":[],"Product":[],"ProductReview":[],"Car":[],"Recipe":[],"Service":[],"SoftwareApplication":[],"WebPage":[]},"graphName":"BlogPosting","isEnabled":true},"graphs":[]},"schema_type":"default","schema_type_options":null,"pillar_content":false,"robots_default":true,"robots_noindex":false,"robots_noarchive":false,"robots_nosnippet":false,"robots_nofollow":false,"robots_noimageindex":false,"robots_noodp":false,"robots_notranslate":false,"robots_max_snippet":null,"robots_max_videopreview":null,"robots_max_imagepreview":"large","priority":null,"frequency":null,"local_seo":null,"breadcrumb_settings":null,"limit_modified_date":false,"ai":null,"created":"2023-07-19 10:12:46","updated":"2026-01-15 12:13:48","seo_analyzer_scan_date":null},"aioseo_breadcrumb":"<div class=\"aioseo-breadcrumbs\"><span class=\"aioseo-breadcrumb\">\n\t\t\t<a href=\"https:\/\/mamchenkov.net\/wordpress\" title=\"Home\">Home<\/a>\n\t\t<\/span><span class=\"aioseo-breadcrumb-separator\">&raquo;<\/span><span class=\"aioseo-breadcrumb\">\n\t\t\t<a href=\"https:\/\/mamchenkov.net\/wordpress\/category\/technology\/\" title=\"Technology\">Technology<\/a>\n\t\t<\/span><span class=\"aioseo-breadcrumb-separator\">&raquo;<\/span><span class=\"aioseo-breadcrumb\">\n\t\t\t<a href=\"https:\/\/mamchenkov.net\/wordpress\/category\/technology\/linux\/\" title=\"Linux\">Linux<\/a>\n\t\t<\/span><span class=\"aioseo-breadcrumb-separator\">&raquo;<\/span><span class=\"aioseo-breadcrumb\">\n\t\t\tLet\u2019s Encrypt on CentOS 7 and Amazon AMI\n\t\t<\/span><\/div>","aioseo_breadcrumb_json":[{"label":"Home","link":"https:\/\/mamchenkov.net\/wordpress"},{"label":"Technology","link":"https:\/\/mamchenkov.net\/wordpress\/category\/technology\/"},{"label":"Linux","link":"https:\/\/mamchenkov.net\/wordpress\/category\/technology\/linux\/"},{"label":"Let&#8217;s Encrypt on CentOS 7 and Amazon AMI","link":"https:\/\/mamchenkov.net\/wordpress\/2016\/06\/27\/lets-encrypt-on-centos-7-and-amazon-ami\/"}],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack-related-posts":[{"id":27149,"url":"https:\/\/mamchenkov.net\/wordpress\/2016\/12\/17\/amazon-linux-ami-lets-encrypt-importerror-no-module-named-interface\/","url_meta":{"origin":26208,"position":0},"title":"Amazon Linux AMI : Let&#8217;s Encrypt : ImportError: No module named interface","author":"Leonid Mamchenkov","date":"December 17, 2016","format":false,"excerpt":"Let's Encrypt has only experimental support for the Amazon Linux AMI, so it's kind of expected to have issues once in a while. \u00a0 Here's one I came across today: [code light=\"true\"] # \/opt\/letsencrypt\/certbot-auto renew Creating virtual environment... Installing Python packages... Installation succeeded. Traceback (most recent call last): File \"\/root\/.local\/share\/letsencrypt\/bin\/letsencrypt\",\u2026","rel":"","context":"In &quot;All&quot;","block_context":{"text":"All","link":"https:\/\/mamchenkov.net\/wordpress\/category\/general\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":26033,"url":"https:\/\/mamchenkov.net\/wordpress\/2016\/04\/18\/lets-encrypt-is-not-in-beta-anymore\/","url_meta":{"origin":26208,"position":1},"title":"Let&#8217;s Encrypt is not in Beta anymore","author":"Leonid Mamchenkov","date":"April 18, 2016","format":false,"excerpt":"Let's Encrypt - anew Certificate Authority, which is free, open, and automated - announced that it's leaving beta. \u00a0Just look at how many SSL certificates they've issued, and at what rate! I've first written about Let's Encrypt back in November 2014. \u00a0It hasn't been that long ago, but boy, what\u2026","rel":"","context":"In &quot;All&quot;","block_context":{"text":"All","link":"https:\/\/mamchenkov.net\/wordpress\/category\/general\/"},"img":{"alt_text":"Issuance-April-10-2016","src":"https:\/\/i0.wp.com\/mamchenkov.net\/wordpress\/wp-content\/uploads\/2016\/04\/Issuance-April-10-2016-500x302.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":26999,"url":"https:\/\/mamchenkov.net\/wordpress\/2016\/11\/28\/s3-static-site-with-ssl\/","url_meta":{"origin":26208,"position":2},"title":"S3 static site with SSL","author":"Leonid Mamchenkov","date":"November 28, 2016","format":false,"excerpt":"\"S3 static site with SSL and automatic deploys using Travis\" is a goldmine of all those simple technologies tied into a single knot for an impressive result. \u00a0It has a bit of everything: Jekyll - simple, blog-aware, static sites engine, for managing content. GitHub - for version control of the\u2026","rel":"","context":"In &quot;All&quot;","block_context":{"text":"All","link":"https:\/\/mamchenkov.net\/wordpress\/category\/general\/"},"img":{"alt_text":"s3-static-site","src":"https:\/\/i0.wp.com\/mamchenkov.net\/wordpress\/wp-content\/uploads\/2016\/11\/s3-static-site-479x500.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":28305,"url":"https:\/\/mamchenkov.net\/wordpress\/2018\/01\/09\/lets-encrypt-is-leading-top-ssl-issuers\/","url_meta":{"origin":26208,"position":3},"title":"Let&#8217;s Encrypt is leading Top SSL Issuers","author":"Leonid Mamchenkov","date":"January 9, 2018","format":false,"excerpt":"Netrack reports some statistics for the Top SSL Issuers, and it's nice to see Let's Encrypt leading the race with a significant advantage over the rest. Well done, ladies and gentlemen!","rel":"","context":"In &quot;All&quot;","block_context":{"text":"All","link":"https:\/\/mamchenkov.net\/wordpress\/category\/general\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/mamchenkov.net\/wordpress\/wp-content\/uploads\/2018\/01\/ssl-issuers-graph-500x281.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":27352,"url":"https:\/\/mamchenkov.net\/wordpress\/2017\/02\/14\/fixing-outdated-lets-encrypt-zope-interface-error\/","url_meta":{"origin":26208,"position":4},"title":"Fixing outdated Let&#8217;s Encrypt (zope.interface error)","author":"Leonid Mamchenkov","date":"February 14, 2017","format":false,"excerpt":"I've started using Let's Encrypt for the SSL certificates a while back. \u00a0I installed it on all the web servers, irrelevant of the need for SSL, just to have it there, when I need it (thanks to this Ansible role). \u00a0One of those old web servers needed an SSL certificate\u2026","rel":"","context":"In &quot;All&quot;","block_context":{"text":"All","link":"https:\/\/mamchenkov.net\/wordpress\/category\/general\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":29115,"url":"https:\/\/mamchenkov.net\/wordpress\/2018\/12\/19\/well-known-uris\/","url_meta":{"origin":26208,"position":5},"title":"Well-Known URIs","author":"Leonid Mamchenkov","date":"December 19, 2018","format":false,"excerpt":"Back when Let's Encrypt started giving out free SSL certificates, one bit that visible all over the web was the \"well-known\" directory.\u00a0 I never thought much about it - it's just a name after all. Turns out, there is actually an RFC 5785 that defines a standard for the well-known\u2026","rel":"","context":"In &quot;All&quot;","block_context":{"text":"All","link":"https:\/\/mamchenkov.net\/wordpress\/category\/general\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"jetpack_sharing_enabled":true,"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/posts\/26208","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/comments?post=26208"}],"version-history":[{"count":0,"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/posts\/26208\/revisions"}],"wp:attachment":[{"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/media?parent=26208"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/categories?post=26208"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/tags?post=26208"},{"taxonomy":"keyring_services","embeddable":true,"href":"https:\/\/mamchenkov.net\/wordpress\/wp-json\/wp\/v2\/keyring_services?post=26208"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}