Free SSL Certificate for LIFE — No Renewals and Never Expires

Description

Installing an SSL certificate for the first time

The very first time you set up SSL with your CloudFront distribution you’ll need to carry out a few simple procedures in the right order. We are going to create a certificate signing request, use it to generate our SSL certificate, verify the domain name and install the SSL certificate in CloudFront. All of these steps require just a browser and the AWS command line client.

Generate a Certificate Signing Request

Even though you might be tempted to skip this step and use the automated CSR generator which is part of the certificate issuance process, please don’t. You’ll need the domain key you’ll generate as part of the CSR below to refresh the Let’s Encrypt SSL certificate every 3 months.

• Go to ZeroSSL. That’s a free service which let you create Let’s Encrypt SSL certificates which we’re going to be using throughout this guide.
• On the left hand side click on Certificates and Tools.
• Scroll down, even though there seems to be nothing there. You’ll now see a section appearing, called CSR Generator. Click on the Start button below it.
• In the Domains area enter the custom (sub)domain name for your CloudFront distribution. For example, cdn.example.com but NOT www.example.com or just example.com (these last two examples are WRONG).
• To its right, select 2048 bits. This is very important. Amazon will NOT work with 4096 bits keys.
• Fill in the information under Organization through Country. Although these are optional they will be part of the certificate and visible to your clients. It’s a good idea entering your real information here.
• Now click on the Generate button.
• After a short while the two text areas are filled with some data. We’ll need to copy them to some files. Open up a plain text editor (e.g. Notepad, GEdit, TextWrangler, Smultron and so on).
• Save the left text area’s content into a file called domain-key.txt
• Save the right text area’s content into a file called csr.txt.

Issuing the certificate

Issuing the certificate consists of three sub-steps which must be carried out in the order stated below. Please review these steps because you can’t halt the process and resume it later. If you find out you’re missing something you’ll have to redo this whole step.

Run the certificate wizard

• Go back to ZeroSSL.
• On the left hand side click on Certificates and Tools.
• Find the FREE SSL Certificate Wizard section. Click on the Start button below it.
• Enter your Email address.
• DO NOT fill in the domain name. We will use our CSR instead.
• Remember the two text files you saved above? Open them with a plain text editor (e.g. Notepad, GEdit, TextWrangler, Smultron and so on).
• Paste the content of the file called domain-key.txt to the left text area.
• Paste the content of the file called csr.txt to the right text area.

Now you have to make a very important choice: how to verify your CloudFront distribution’s (sub)domain. I prefer to use the DNS method which involves creating a TXT record in the DNS zone. This method, however, only works well if your DNS propagates fast. If you are using your host’s DNS servers you’ll need to use the HTTP verification method instead which has you upload a file to your CDN. Now that you made your choice…

• …select your verification method.
• Check the two boxes to accept the ZeroSSL terms of service and Let’s Encrypt service agreement.
• At the top right of the page click on Next to proceed to the next step.

Save your Let’s Encrypt account key

At this point ZeroSSL has created an account key for you. You will need it in the future to refresh your certificate.

Click on the download button to download it to your computer. Name the file account-key.txt.

Warning: do not confuse this file with the domain-key.txt file. They are different files with a different purpose!

After making sure the file is safely on your computer click on the Next button.

Verify your domain name

Depending in the verification method you chose, you will have to verify your site either through DNS or through HTTP (file).

The instructions are on your screen. If you are using the domain verification method you need to create a DNS TXT record containing the information presented on the screen.

If you chose the HTTP verification method instead you’re asked to create folder .well-known in your distribution and upload a file into that folder with the content specified on your screen.

In both cases the content you see on your screen is a random, impossible to guess token. Since you are able to place this impossible to guess thing somewhere on the domain you claim you own it means that you are really in control of the domain, therefore you have the right to create SSL certificates for it.

Once you have placed the TXT record in your DNS or the file in your distribution (and you’re sure it’s been propagated) click Next to complete the verification process. This is usually the most nerve-wracking part of the process since you are essentially in a hurry up and wait mode until the DNS / file propagates so that ZeroSSL can see it.

Create and save your SSL certificate

If you’re here, you’ve got your shiny new SSL certificate on your browser. We need to do a bit of work before we can use them, though.

• Open up a plain text editor (e.g. Notepad, GEdit, TextWrangler, Smultron and so on).
• Make sure that the left hand text area’s content is identical to your domain-key.txt file’s contents. Technically speaking this is your certificate’s private key which was generated as part of the CSR issuance at the very beginning of this guide.
• From the right hand text area’s content, copy the text between the FIRST set of -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- headers, including these headers, into a file called domain-crt.txt. This is the SSL certificate for your domain.
• From the right hand text area’s content, copy the text between the SECOND set of -----BEGIN CERTIFICATE-----and -----END CERTIFICATE----- headers, including these headers, into a file called issuer-crt.txt. This is the SSL certificate of the issuing Certificate Authority (in our case it’s Let’s Encrypt).

As you observed we had to split the file in the right hand text area into two separate files. That’s because the AWS CLI client expects the two SSL certificates to be presented separately. ZeroSSL provides them in a single file because, unlike AWS, most web servers serving regular HTTPS sites expect them to be presented in the same file.

Sanity check

If you have followed this guide to the letter you now have the following files in the same directory on your computer:

• account-key.txt. The ZeroSSL and Let’s Encrypt account key you will need to refresh the certificates in the future.
• domain-key.txt. The private key for the SSL certificates issued for the CloudFront distribution’s (sub)domain.
• csr.txt. The Certificate Signing Request for the CloudFront distribution’s (sub)domain.
• domain-crt.txt. The actual SSL certificate for the CloudFront distribution’s (sub)domain.
• issuer-crt.txt. The SSL certificate of the Certificate Authority (Let’s Encrypt) which issued the certificate above.

If you’re missing any file you won’t be able to install the certificate. Check what you’re missing and follow these intructions again.

Install the certificate on Amazon Web Services

I never figured out how to use the AWS web interface to install the certificate. Therefore I’m using the AWS CLI (command line) client instead.

Open a terminal and change into the directory where you saved the text files above. Run the following command, replacing CHANGE_ME with a unique identifier. I recommend using the convention domain_year_month_date, e.g. cdn_examplecom-2017-01-17.

aws iam upload-server-certificate \
--server-certificate-name CHANGE_ME \
--certificate-body file://domain-crt.txt \
--private-key file://private-key.pem \
--certificate-chain file://issuer-crt.txt --path /cloudfront/

If you are on Windows please remove the forward slashes (\) and new lines from the command above and run it as one, big line, e.g.

aws iam upload-server-certificate --server-certificate-name CHANGE_ME --certificate-body file://domain-crt.txt --private-key file://private-key.pem --certificate-chain file://issuer-crt.txt --path /cloudfront/

Use the certificate in CloudFront

• Log into AWS Console
• Go to CloudFront, Distributions
• Find the distribution that corresponds to the SSL certificate record you created and click on it.
• In the General tab click on the Edit button
• Scroll down to Custom SSL Certificate (example.com).
• Choose the new certificate (e.g. cdn_examplecom-2017-01-17) from the drop-down.
• Scroll all the way down, click on Yes, Edit

Remember that Let’s Encrypt SSL certificates have a short life time (three months) by design. You will need to replace them before they expire, otherwise your HTTPS distribution will be broken. It’s a great idea setting a recurring alarm every 12 weeks to renew your certificates. If you’re counting you’ll see that’s shorter than the 90 days given to you by Let’s Encrypt. That’s on purpose. You might be traveling, sick or otherwise unavailable to renew the certificate on the date. It’s best to give yourself some leeway. About a week should be fine unless you plan on dropping off the face of the earth for several weeks at a time.

Refreshing the certificate

So, your certificate is about to expire. You need to refresh it, i.e. replace it with a new one. Thankfuly this process is much simpler and will take you about 5′ to 10′.

First we need to get a new certificate. We will need the contents of some of the text files we created above. Remember when I told you they are important? That’s why! The process is similar to issuing a certificate, with a couple of significant changes. Instead of providing the domain secret key you will be providing your ZeroSSL / Let’s Encrypt account key. Moreover you will have to use the same domain verification method as before. I am clearly marking the steps you need to watch out below.

• Go to ZeroSSL.
• On the left hand side click on Certificates and Tools.
• Find the FREE SSL Certificate Wizard section. Click on the Start button below it.
• DO NOT fill in the domain name. We will use our CSR instead.
• Open up a plain text editor (e.g. Notepad, GEdit, TextWrangler, Smultron and so on).
• Watch out! Paste the content of the file called account-key.txt to the left text area.
• Paste the content of the file called csr.txt to the right text area.
• Watch out! Select the same verification method you had chosen before
• Check the two boxes to accept the ZeroSSL terms of service and Let’s Encrypt service agreement.
• At the top right of the page click on Next to proceed to the next step.
• From the right hand text area’s content, copy the text between the FIRST set of -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- headers, including these headers, into a file called domain-crt.txt. This is the SSL certificate for your domain.
• From the right hand text area’s content, copy the text between the SECOND set of -----BEGIN CERTIFICATE-----and -----END CERTIFICATE----- headers, including these headers, into a file called issuer-crt.txt. This is the SSL certificate of the issuing Certificate Authority (in our case it’s Let’s Encrypt).

You might wonder why save the issuer-crt.txt file again since we already have it. According to Let’s Encrypt’s roadmap they will use a different Certificate Authority (CA) certificate to issue SSL certificates at some point. In essence, they will transition from having their CA certificate signed from a third party root CA to being a root CA themselves. Therefore the issuer certificate may change at any point. Better be safe than sorry!