I want to install an SSL/TLS certificate for an NGINX server on Amazon Linux.
Resolution
Install an SSL/TLS certificate for your NGINX server
Note: Your Amazon Machine Image (AMI) or operating system (OS) version might require additional steps or commands to install an SSL/TLS certificate for an NGINX server.
To install an SSL/TLS certificate for your NGINX server on Amazon Linux, use a trusted certificate authority (CA), such as Let's Encrypt. For more information, see Getting started on the Let's Encrypt website.
If you choose Let's Encrypt to install and configure the SSL/TLS certificate, then you must use the Certbot tool. For more information, see About Cerbot on the Certbot website.
Note: If you use certificates from another third-party domain provider, then follow the steps that the vendor provides to download certificates.
To install the Certbot tool and request a certificate, run the following commands:
Amazon Linux 2023:
$ sudo dnf install certbot
$ sudo certbot certonly
Amazon Linux 2:
$ sudo amazon-linux-extras install epel -y
$ sudo yum update -y --skip-broken
$ sudo yum install -y certbot
$ sudo certbot certonly
Follow the prompts to complete the certificate request process. The certificate files are stored in a directory that's similar to /etc/letsencrypt/live/example-domain.com.
Configure NGINX to use the SSL/TLS certificate
Complete the following steps:
-
To create a backup of the existing NGINX configuration file, run the following command:
$ sudo cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak
Note: The default location for the NGINX configuration file is /etc/nginx/nginx.conf, /etc/nginx/conf.d/default.conf or /etc/nginx/sites-available/default.
-
Use a text editor to open the NGINX configuration file that contains the SSL/TLS certificate and key file paths.
Example output:
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name your-domain.com;
ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem;
location /
}
Note: Replace your-domain.com with the name of your domain.
-
To automatically redirect all HTTP traffic to HTTPS, add the following lines in the server block:
server {
listen 80;
server_name your-domain.com;
return 301 https://$server_name$request_uri;
}
-
To validate the configuration and restart the NGINX service, run the following commands:
$ sudo nginx -t
$ sudo systemctl restart nginx
Note: It's a best practice to back up your current SSL/TLS certificates and NGINX configurations. Check that NGINX has the necessary permissions to read the new certificate files.
Related information
Configuring HTTPS servers on the NGINX website
Secure your Lightsail Nginx website with Let's Encrypt SSL/TLS
Step 3: Configure the web server