Install Certbot on EC2 instances running AL2 (Amazon Linux 2), use it to request and install Let's Encrypt SSL/TLS certificate on either Apache or Nginx web server, and configure automated renewal
Overview
Certbot is a tool to obtain SSL/TLS certificates from Let's Encrypt and (optionally) auto-enable HTTPS on your server.
This article shows how to install Certbot on Amazon EC2 instances running Amazon Linux 2 (AL2), use it to enable HTTPS (using HTTP-01 challenge type) on either Apache or Nginx web server, with automated cert renewal.
Other options
If you wish to use AWS Certificate Manager (ACM) certs, refer to Why can't I configure ACM certificates for my website hosted on an EC2 instance? for available options.
Notice
Amazon Linux 2 end of support date (End of Life, or EOL) will be on 2026-06-30.
Requirements
Ensure that
- you have a FQDN (fully qualified domain name) whose DNS entry resolves to your EC2 instance public internet IP address.
- security group attached to your EC2 instance allows inbound
HTTP
and HTTPS
from internet.
The script examples below will use FQDN of al2.example.com
. Do adjust accordingly
Install Certbot
Install using pip instructions as per https://certbot.eff.org/instructions?ws=other&os=pip
sudo yum install -y augeas-libs
sudo amazon-linux-extras install -y python3.8
sudo /usr/bin/python3.8 -m venv /opt/certbot/
sudo /opt/certbot/bin/pip install --upgrade pip
sudo /opt/certbot/bin/pip install certbot
sudo /opt/certbot/bin/pip install certbot-dns-route53
sudo /opt/certbot/bin/pip install certbot-apache
sudo /opt/certbot/bin/pip install certbot-nginx
sudo ln -s /opt/certbot/bin/certbot /usr/bin/certbot
Support for Python 3.8 was deprecated in Certbot 3.0.0 and removed in Certbot 3.1.0
Configure Automated renewal
LetsEncrypt certificates are valid for 90 days. To configure automated renewal to renew certificates about 30 days before expiry
sudo tee /usr/lib/systemd/system/certbot-renew.timer > /dev/null << EOF
[Unit]
Description=This is the timer to set the schedule for automated renewals
[Timer]
OnCalendar=*-*-* 00/12:00:00
RandomizedDelaySec=12hours
Persistent=true
[Install]
WantedBy=timers.target
EOF
sudo touch /etc/sysconfig/certbot
sudo tee /usr/lib/systemd/system/certbot-renew.service > /dev/null << EOF
[Unit]
Description=This service automatically renews any certbot certificates found
[Service]
EnvironmentFile=/etc/sysconfig/certbot
Type=oneshot
ExecStart=/usr/bin/certbot renew --noninteractive --no-random-sleep-on-renew $PRE_HOOK $POST_HOOK $RENEW_HOOK $DEPLOY_HOOK $CERTBOT_ARGS
EOF
sudo systemctl daemon-reload
sudo systemctl enable --now certbot-renew.timer
Using Certbot with Apache web server
Replace al2.example.com
below with your domain name.
Install and Configure Apache
sudo yum install -y httpd mod_ssl
sudo tee /etc/httpd/conf.d/www.conf > /dev/null << EOF
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
</VirtualHost>
EOF
sudo systemctl enable httpd
sudo systemctl restart httpd
Certbot uses Apache Virtual Hosts to identify web sites and install certs.
Verify DNS entry and web server configuration
FQDN=al2.example.com
curl checkip.amazonaws.com && dig +short $FQDN
curl -I $FQDN
Ensure that both IP addresses matches and curl command works. Output should be similar to below
[ec2-user@ip ~]$ FQDN=al2.example.com
[ec2-user@ip ~]$ curl checkip.amazonaws.com && dig +short $FQDN
13.229.211.60
13.229.211.60
[ec2-user@ip ~]$ curl -I $FQDN
HTTP/1.1 403 Forbidden
Date: Mon, 23 Dec 2024 05:44:42 GMT
Server: Apache/2.4.62 () OpenSSL/1.0.2k-fips
Upgrade: h2,h2c
Connection: Upgrade
Last-Modified: Tue, 13 Aug 2024 20:15:43 GMT
ETag: "e2e-61f96462a59c0"
Accept-Ranges: bytes
Content-Length: 3630
Content-Type: text/html; charset=UTF-8
Request and install HTTPS cert
sudo certbot --apache
Enter valid email address, agree to Let's Encrypt Terms of Service, optionally subscribe to EFF mailing list, input your FQDN, to have Certbot request and install HTTPS certificate on your Apache server.
Using Certbot with Nginx web server
Replace al2.example.com
below with your domain name.
Install and Configure Nginx
FQDN=al2.example.com
sudo amazon-linux-extras install -y nginx1
sudo sed -i "s/server_name _;/server_name $FQDN;/g" /etc/nginx/nginx.conf
sudo nginx -t
sudo systemctl enable nginx
sudo systemctl start nginx
Certbot uses Nginx Server Names to identify web sites and install certificates.
Verify DNS entry and web server configuration
FQDN=al2.example.com
curl checkip.amazonaws.com && dig +short $FQDN
curl -I $FQDN
Ensure that both IP addresses matches and curl command works. Output should be similar to below
[ec2-user@ip ~]$ FQDN=al2.example.com
[ec2-user@ip ~]$ curl checkip.amazonaws.com && dig +short $FQDN
13.229.112.86
13.229.112.86
[ec2-user@ip ~]$ curl -I $FQDN
HTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Thu, 26 Dec 2024 14:22:13 GMT
Content-Type: text/html
Content-Length: 615
Last-Modified: Tue, 27 Aug 2024 13:55:08 GMT
Connection: keep-alive
ETag: "66cddabc-267"
Accept-Ranges: bytes
Request and install HTTPS cert
sudo certbot --nginx
Enter valid email address, agree to Let's Encrypt Terms of Service, optionally subscribe to EFF mailing list, to have Certbot request and install HTTPS certificate on your Nginx server.
Verify website
Browse to your web site to verify that HTTPS certificate is installed.
More information
Refer to Certbot User Guide