How to use Certbot to enable HTTPS with Apache or Nginx on EC2 instances running Amazon Linux 2023 (AL2023) ?

4 minute read
Content level: Intermediate
2

Install Certbot on EC2 instances running AL2023 (Amazon Linux 2023), use it to request and install Let's Encrypt SSL/TLS certificate on either Apache or Nginx web server, with automated renewal

Overview

Certbot is a tool to obtain SSL/TLS certificates from Let's Encrypt and (optionally) auto-enable HTTPS on your server.

This article shows how to install Certbot on Amazon EC2 instances running Amazon Linux 2023 (AL2023), use it to enable HTTPS (using HTTP-01 challenge type) on either Apache or Nginx web server, with automated cert renewal.

Other options

If you wish to use AWS Certificate Manager (ACM) certs, refer to Why can't I configure ACM certificates for my website hosted on an EC2 instance? for available options.

Requirements

Ensure that

The script examples below will use FQDN of al2023.example.com. Do adjust accordingly

Install Certbot

sudo dnf install -y certbot python3-certbot-dns-route53 python3-certbot-apache python3-certbot-nginx
sudo systemctl daemon-reload
sudo systemctl enable --now certbot-renew.timer

Using Certbot with Apache web server

Replace al2023.example.com below with your domain name.

Install and Configure Apache

sudo dnf install -y httpd mod_ssl
sudo tee /etc/httpd/conf.d/www.conf > /dev/null << EOF
<VirtualHost *:80>
  ServerAdmin webmaster@localhost
  DocumentRoot /var/www/html
</VirtualHost>
EOF

sudo systemctl enable --now httpd

Certbot uses Apache Virtual Hosts to identify web sites and install certs.

Verify DNS entry and web server configuration

FQDN=al2023.example.com
curl checkip.amazonaws.com && dig +short $FQDN
curl -I $FQDN

Ensure that both IP addresses matches and curl command works. Output should be similar to below

[ec2-user@ip ~]$ FQDN=al2023.example.com
[ec2-user@ip ~]$ curl checkip.amazonaws.com && dig +short $FQDN
54.169.194.19
54.169.194.19
[ec2-user@ip ~]$ curl -I $FQDN
HTTP/1.1 403 Forbidden
Date: Thu, 02 Jan 2025 08:57:53 GMT
Server: Apache/2.4.62 (Amazon Linux) OpenSSL/3.0.8
Last-Modified: Mon, 11 Jun 2007 18:53:14 GMT
ETag: "2d-432a5e4a73a80"
Accept-Ranges: bytes
Content-Length: 45
Content-Type: text/html; charset=UTF-8

Request and install HTTPS cert

sudo certbot --apache

Enter valid email address, agree to Let's Encrypt Terms of Service, optionally subscribe to EFF mailing list, input your FQDN, to have Certbot request and install HTTPS certificate on your Apache server.

Certbot with Apache on AL2023

Using Certbot with Nginx web server

Replace al2023.example.com below with your domain name.

Install and Configure Nginx

FQDN=al2023.example.com

sudo dnf install -y nginx
sudo sed -i "s/server_name  _;/server_name  $FQDN;/g" /etc/nginx/nginx.conf
sudo nginx -t
sudo systemctl enable --now nginx

Certbot uses Nginx Server Names to identify web sites and install certificates.

Verify DNS entry and web server configuration

FQDN=al2023.example.com
curl checkip.amazonaws.com && dig +short $FQDN
curl -I $FQDN

Ensure that both IP addresses matches and curl command works. Output should be similar to below

[ec2-user@ip ~]$ FQDN=al2023.example.com
[ec2-user@ip ~]$ curl checkip.amazonaws.com && dig +short $FQDN
18.139.110.156
18.139.110.156
[ec2-user@ip ~]$ curl -I $FQDN
HTTP/1.1 200 OK
Server: nginx/1.26.2
Date: Thu, 02 Jan 2025 09:09:26 GMT
Content-Type: text/html
Content-Length: 615
Last-Modified: Tue, 22 Oct 2024 19:09:19 GMT
Connection: keep-alive
ETag: "6717f85f-267"
Accept-Ranges: bytes

Request and install HTTPS cert

sudo certbot --nginx

Enter valid email address, agree to Let's Encrypt Terms of Service, optionally subscribe to EFF mailing list, to have Certbot request and install HTTPS certificate on your Nginx server.

Certbot with Nginx on AL2023

Verification

Verify certificate

To display information about certificates you have from Certbot

sudo certbot certificates

Display cert info

Verify installation

Browse to your web site to verify that HTTPS certificate is installed.

Browser verification

More information

Refer to Certbot User Guide

Multiple domains on a single certificate

Certbot supports multiple domains on a single cert. You will need to modify your Apache or Nginx website configuration.

For Apache, update VirtualHost section with appropriate ServerName and ServerAlias

<VirtualHost *:80>
    ServerName example.com
    ServerAlias www.example.com

For Nginx, update server section with appropriate server_name

server {
    server_name  example.com www.example.com;

For each domain name, create a DNS record that resolves to your EC2 instance public IP address. Restart Apache/Nginx before running Certbot.

Refer to Certbot documentation and Get Help page for more information.

AWS
EXPERT
published 19 days ago267 views