Install Certbot on EC2 instances running AL2023 (Amazon Linux 2023), use it to request and install Let's Encrypt SSL/TLS certificate on either Apache or Nginx web server, with automated renewal
Overview
Certbot is a tool to obtain SSL/TLS certificates from Let's Encrypt and (optionally) auto-enable HTTPS on your server.
This article shows how to install Certbot on Amazon EC2 instances running Amazon Linux 2023 (AL2023), use it to enable HTTPS (using HTTP-01 challenge type) on either Apache or Nginx web server, with automated cert renewal.
Other options
If you wish to use AWS Certificate Manager (ACM) certs, refer to Why can't I configure ACM certificates for my website hosted on an EC2 instance? for available options.
Requirements
Ensure that
- you have a FQDN (fully qualified domain name) whose DNS entry resolves to your EC2 instance public internet IP address.
- security group attached to your EC2 instance allows inbound
HTTP
and HTTPS
from internet.
The script examples below will use FQDN of al2023.example.com
. Do adjust accordingly
Install Certbot
sudo dnf install -y certbot python3-certbot-dns-route53 python3-certbot-apache python3-certbot-nginx
sudo systemctl daemon-reload
sudo systemctl enable --now certbot-renew.timer
Using Certbot with Apache web server
Replace al2023.example.com
below with your domain name.
Install and Configure Apache
sudo dnf install -y httpd mod_ssl
sudo tee /etc/httpd/conf.d/www.conf > /dev/null << EOF
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
</VirtualHost>
EOF
sudo systemctl enable --now httpd
Certbot uses Apache Virtual Hosts to identify web sites and install certs.
Verify DNS entry and web server configuration
FQDN=al2023.example.com
curl checkip.amazonaws.com && dig +short $FQDN
curl -I $FQDN
Ensure that both IP addresses matches and curl command works. Output should be similar to below
[ec2-user@ip ~]$ FQDN=al2023.example.com
[ec2-user@ip ~]$ curl checkip.amazonaws.com && dig +short $FQDN
54.169.194.19
54.169.194.19
[ec2-user@ip ~]$ curl -I $FQDN
HTTP/1.1 403 Forbidden
Date: Thu, 02 Jan 2025 08:57:53 GMT
Server: Apache/2.4.62 (Amazon Linux) OpenSSL/3.0.8
Last-Modified: Mon, 11 Jun 2007 18:53:14 GMT
ETag: "2d-432a5e4a73a80"
Accept-Ranges: bytes
Content-Length: 45
Content-Type: text/html; charset=UTF-8
Request and install HTTPS cert
sudo certbot --apache
Enter valid email address, agree to Let's Encrypt Terms of Service, optionally subscribe to EFF mailing list, input your FQDN, to have Certbot request and install HTTPS certificate on your Apache server.
![Certbot with Apache on AL2023](/media/postImages/original/IMDGEsVYPHRruvU79oFqeWHQ)
Using Certbot with Nginx web server
Replace al2023.example.com
below with your domain name.
Install and Configure Nginx
FQDN=al2023.example.com
sudo dnf install -y nginx
sudo sed -i "s/server_name _;/server_name $FQDN;/g" /etc/nginx/nginx.conf
sudo nginx -t
sudo systemctl enable --now nginx
Certbot uses Nginx Server Names to identify web sites and install certificates.
Verify DNS entry and web server configuration
FQDN=al2023.example.com
curl checkip.amazonaws.com && dig +short $FQDN
curl -I $FQDN
Ensure that both IP addresses matches and curl command works. Output should be similar to below
[ec2-user@ip ~]$ FQDN=al2023.example.com
[ec2-user@ip ~]$ curl checkip.amazonaws.com && dig +short $FQDN
18.139.110.156
18.139.110.156
[ec2-user@ip ~]$ curl -I $FQDN
HTTP/1.1 200 OK
Server: nginx/1.26.2
Date: Thu, 02 Jan 2025 09:09:26 GMT
Content-Type: text/html
Content-Length: 615
Last-Modified: Tue, 22 Oct 2024 19:09:19 GMT
Connection: keep-alive
ETag: "6717f85f-267"
Accept-Ranges: bytes
Request and install HTTPS cert
sudo certbot --nginx
Enter valid email address, agree to Let's Encrypt Terms of Service, optionally subscribe to EFF mailing list, to have Certbot request and install HTTPS certificate on your Nginx server.
![Certbot with Nginx on AL2023](/media/postImages/original/IMZrhUKtvDQyOCuKsig_Zmsw)
Verification
Verify certificate
To display information about certificates you have from Certbot
sudo certbot certificates
![Display cert info](/media/postImages/original/IMh-vrpvnZQaOLqW9le00a8A)
Verify installation
Browse to your web site to verify that HTTPS certificate is installed.
![Browser verification](/media/postImages/original/IM9hmH7Wk5Qm-9TqQKNUzrzA)
More information
Refer to Certbot User Guide
Multiple domains on a single certificate
Certbot supports multiple domains on a single cert. You will need to modify your Apache or Nginx website configuration.
For Apache, update VirtualHost
section with appropriate ServerName and ServerAlias
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
For Nginx, update server
section with appropriate server_name
server {
server_name example.com www.example.com;
For each domain name, create a DNS record that resolves to your EC2 instance public IP address. Restart Apache/Nginx before running Certbot.
Refer to Certbot documentation and Get Help page for more information.