How to use Certbot to enable HTTPS with Apache or Nginx on EC2 instances running Amazon Linux 2 (AL2) ?

5 minute read
Content level: Intermediate
2

Install Certbot on EC2 instances running AL2 (Amazon Linux 2), use it to request and install Let's Encrypt SSL/TLS certificate on either Apache or Nginx web server, and configure automated renewal

Overview

Certbot is a tool to obtain SSL/TLS certificates from Let's Encrypt and (optionally) auto-enable HTTPS on your server.

This article shows how to install Certbot on Amazon EC2 instances running Amazon Linux 2 (AL2), use it to enable HTTPS (using HTTP-01 challenge type) on either Apache or Nginx web server, with automated cert renewal.

Other options

If you wish to use AWS Certificate Manager (ACM) certs, refer to Why can't I configure ACM certificates for my website hosted on an EC2 instance? for available options.

Notice

Amazon Linux 2 end of support date (End of Life, or EOL) will be on 2026-06-30.

Requirements

Ensure that

The script examples below will use FQDN of al2.example.com. Do adjust accordingly

Install Certbot

Install using pip instructions as per https://certbot.eff.org/instructions?ws=other&os=pip

sudo yum install -y augeas-libs
sudo amazon-linux-extras install -y python3.8 

sudo /usr/bin/python3.8 -m venv /opt/certbot/
sudo /opt/certbot/bin/pip install --upgrade pip
sudo /opt/certbot/bin/pip install certbot
sudo /opt/certbot/bin/pip install certbot-dns-route53
sudo /opt/certbot/bin/pip install certbot-apache
sudo /opt/certbot/bin/pip install certbot-nginx

sudo ln -s /opt/certbot/bin/certbot /usr/bin/certbot

Support for Python 3.8 was deprecated in Certbot 3.0.0 and removed in Certbot 3.1.0

Configure Automated renewal

LetsEncrypt certificates are valid for 90 days. To configure automated renewal to renew certificates about 30 days before expiry

sudo tee /usr/lib/systemd/system/certbot-renew.timer > /dev/null << EOF
[Unit]
Description=This is the timer to set the schedule for automated renewals
[Timer]
OnCalendar=*-*-* 00/12:00:00
RandomizedDelaySec=12hours
Persistent=true
[Install]
WantedBy=timers.target
EOF


sudo touch /etc/sysconfig/certbot
sudo tee /usr/lib/systemd/system/certbot-renew.service > /dev/null << EOF
[Unit]
Description=This service automatically renews any certbot certificates found
[Service]
EnvironmentFile=/etc/sysconfig/certbot
Type=oneshot
ExecStart=/usr/bin/certbot renew --noninteractive --no-random-sleep-on-renew $PRE_HOOK $POST_HOOK $RENEW_HOOK $DEPLOY_HOOK $CERTBOT_ARGS
EOF

sudo systemctl daemon-reload
sudo systemctl enable --now certbot-renew.timer

Using Certbot with Apache web server

Replace al2.example.com below with your domain name.

Install and Configure Apache

sudo yum install -y httpd mod_ssl
sudo tee /etc/httpd/conf.d/www.conf > /dev/null << EOF
<VirtualHost *:80>
  ServerAdmin webmaster@localhost
  DocumentRoot /var/www/html
</VirtualHost>
EOF

sudo systemctl enable httpd
sudo systemctl restart httpd

Certbot uses Apache Virtual Hosts to identify web sites and install certs.

Verify DNS entry and web server configuration

FQDN=al2.example.com
curl checkip.amazonaws.com && dig +short $FQDN
curl -I $FQDN

Ensure that both IP addresses matches and curl command works. Output should be similar to below

[ec2-user@ip ~]$ FQDN=al2.example.com
[ec2-user@ip ~]$ curl checkip.amazonaws.com && dig +short $FQDN
13.229.211.60
13.229.211.60
[ec2-user@ip ~]$ curl -I $FQDN
HTTP/1.1 403 Forbidden
Date: Mon, 23 Dec 2024 05:44:42 GMT
Server: Apache/2.4.62 () OpenSSL/1.0.2k-fips
Upgrade: h2,h2c
Connection: Upgrade
Last-Modified: Tue, 13 Aug 2024 20:15:43 GMT
ETag: "e2e-61f96462a59c0"
Accept-Ranges: bytes
Content-Length: 3630
Content-Type: text/html; charset=UTF-8

Request and install HTTPS cert

sudo certbot --apache

Enter valid email address, agree to Let's Encrypt Terms of Service, optionally subscribe to EFF mailing list, input your FQDN, to have Certbot request and install HTTPS certificate on your Apache server.

Certbot on AL2 with Apache

Using Certbot with Nginx web server

Replace al2.example.com below with your domain name.

Install and Configure Nginx

FQDN=al2.example.com

sudo amazon-linux-extras install -y nginx1
sudo sed -i "s/server_name  _;/server_name  $FQDN;/g" /etc/nginx/nginx.conf
sudo nginx -t

sudo systemctl enable nginx
sudo systemctl start nginx

Certbot uses Nginx Server Names to identify web sites and install certificates.

Verify DNS entry and web server configuration

FQDN=al2.example.com
curl checkip.amazonaws.com && dig +short $FQDN
curl -I $FQDN

Ensure that both IP addresses matches and curl command works. Output should be similar to below

[ec2-user@ip ~]$ FQDN=al2.example.com
[ec2-user@ip ~]$ curl checkip.amazonaws.com && dig +short $FQDN
13.229.112.86
13.229.112.86
[ec2-user@ip ~]$ curl -I $FQDN
HTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Thu, 26 Dec 2024 14:22:13 GMT
Content-Type: text/html
Content-Length: 615
Last-Modified: Tue, 27 Aug 2024 13:55:08 GMT
Connection: keep-alive
ETag: "66cddabc-267"
Accept-Ranges: bytes

Request and install HTTPS cert

sudo certbot --nginx

Enter valid email address, agree to Let's Encrypt Terms of Service, optionally subscribe to EFF mailing list, to have Certbot request and install HTTPS certificate on your Nginx server.

Certbot on AL2 with Nginx

Verify website

Browse to your web site to verify that HTTPS certificate is installed.

Browser verification

More information

Refer to Certbot User Guide

AWS
EXPERT
published 2 months ago472 views