I’m really happy having migrated to Amazon Lightsail so far. The documentation is good and it has a big enough user base so that there are plenty of others who have had the same issues as I am encountering. Sometimes though, it’s not quite the same.

Documentation:
Tutorial: Configure Apache Web Server on Amazon Linux to Use SSL/TLS
Appendix: Let’s Encrypt with Certbot on Amazon Linux

Able to follow the first steps:

$ sudo yum-config-manager --enable epel
$ wget https://dl.eff.org/certbot-auto
$ chmod a+x certbot-auto
$ sudo ./certbot-auto --debug

As a sidenote, certbot-auto is located in /etc.

Anyway, after running through the certbot-auto steps, it fails with the following message:

Incorrect validation certificate for tls-sni-01 challenge. Requested 6e9f679b4c7458baae91e229b3352d33.6e3c653d675dfdf58604b4b049566594.acme.invalid from xxx.xxx.xxx.xxx:443. Received 1 certificate(s), first certificate had names \"ip-yyy-yyy-yyy-yyy, ip-yyy-yyy-yyy-yyy.us-west-2.compute.internal, localhost, localhost.localdomain\"

The certbot documentation for Apache on CentOS/RHEL 7 shows a certificate only process, instead of the automated installation of the certificate and key into the right locations.

The certificates are located in /etc/pki/tls/certs/
The private keys are located in /etc/pki/tls/private/

$ sudo certbot-auto --apache certonly

Running Certbot generates the certificate and key and puts them into /etc/letsencrypt/live/domain.com/

From there, it is just a quick ln -s to the right directories and boom. SSL works.