Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.
Use Certbot to enable HTTPS on Amazon Linux 2 (AL2) EC2 instances running Apache or Nginx
Install Certbot on EC2 instances running AL2 (Amazon Linux 2), use it to request and install domain validated (DV) certificate on either Apache or Nginx web server, with automated renewal
Note
Support for Amazon Linux 2 ends on 2026-06-30. Instructions in this article may not work properly
Overview
Certbot is a tool to obtain SSL/TLS certificates from Let's Encrypt and (optionally) auto-enable HTTPS on your server.
This article shows how to install Certbot on Amazon EC2 instances running Amazon Linux 2 (AL2), use it to install domain validated HTTPS certificate (using HTTP-01 challenge type) on either Apache or Nginx web server, with automated cert renewal.
Note: this article applies to AL2 only. Similar articles are available for AL2023 and Ubuntu Linux
Other options
You can use Amazon CloudFront global content delivery network (CDN) with EC2 instance as origin, to get a domain name such as d111111abcdef8.cloudfront.net with HTTPS. CloudFront supports custom domain name with non-exportable public SSL/TLS certificates through AWS Certificate Manager at no additional charge. Consider flat-rate pricing plans which combines CloudFront with multiple AWS services and features into a monthly price with no overage charges.
If you wish to use AWS Certificate Manager (ACM) certs with your EC2 instance, refer to Why can't I configure ACM certificates for my website hosted on an EC2 instance?. As of June 2025, AWS Certificate Manager introduces exportable public SSL/TLS certificates to use anywhere. Refer to AWS Certificate Manager pricing for pricing.
Notice
Amazon Linux 2 end of support date (End of Life, or EOL) will be on 2026-06-30.
Requirements
Ensure that
- you have a FQDN (fully qualified domain name) whose DNS entry resolves to your EC2 instance public internet IP address.
- If you do not have a domain, you can register a new domain using Amazon Route 53 and create a DNS A record.
- To prevent EC2 public IPv4 address from changing, you can associate an Elastic IP address
- security group attached to your EC2 instance allows inbound
HTTPandHTTPSfrom internet.
The script examples below will use FQDN of al2.example.com. Do adjust accordingly
Install Certbot
Install using pip instructions as per https://certbot.eff.org/instructions?ws=other&os=pip
sudo amazon-linux-extras install -y python3.8
sudo yum install -y augeas-libs
sudo /usr/bin/python3.8 -m venv /opt/certbot/
sudo /opt/certbot/bin/pip install --upgrade pip
sudo /opt/certbot/bin/pip install python-augeas==1.1.0
sudo /opt/certbot/bin/pip install certbot
sudo /opt/certbot/bin/pip install certbot-dns-route53
sudo /opt/certbot/bin/pip install certbot-apache
sudo /opt/certbot/bin/pip install certbot-nginx
sudo ln -s /opt/certbot/bin/certbot /usr/bin/certbot
Support for Python 3.8 was deprecated in Certbot 3.0.0 and removed in Certbot 3.1.0
Configure Automated renewal
LetsEncrypt certificates are valid for 90 days. To configure automated renewal to renew certificates about 30 days before expiry
sudo tee /usr/lib/systemd/system/certbot-renew.timer > /dev/null << EOF
[Unit]
Description=This is the timer to set the schedule for automated renewals
[Timer]
OnCalendar=*-*-* 00/12:00:00
RandomizedDelaySec=12hours
Persistent=true
[Install]
WantedBy=timers.target
EOF
sudo touch /etc/sysconfig/certbot
sudo tee /usr/lib/systemd/system/certbot-renew.service > /dev/null << EOF
[Unit]
Description=This service automatically renews any certbot certificates found
[Service]
EnvironmentFile=/etc/sysconfig/certbot
Type=oneshot
ExecStart=/usr/bin/certbot renew --noninteractive --no-random-sleep-on-renew $PRE_HOOK $POST_HOOK $RENEW_HOOK $DEPLOY_HOOK $CERTBOT_ARGS
EOF
sudo systemctl daemon-reload
sudo systemctl enable --now certbot-renew.timer
Using Certbot with Apache web server
Replace al2.example.com below with your domain name.
Install and Configure Apache
sudo yum install -y httpd mod_ssl
sudo tee /etc/httpd/conf.d/www.conf > /dev/null << EOF
<VirtualHost *:80>
DocumentRoot /var/www/html
</VirtualHost>
EOF
sudo systemctl enable httpd
sudo systemctl restart httpd
Certbot uses Apache Virtual Hosts to identify web sites and install certs.
Verify DNS entry and web server configuration
FQDN=al2.example.com
curl checkip.amazonaws.com && dig +short $FQDN
curl -I $FQDN
Ensure that both IP addresses matches and curl command works. Output should be similar to below
[ec2-user@ip ~]$ FQDN=al2.example.com
[ec2-user@ip ~]$ curl checkip.amazonaws.com && dig +short $FQDN
13.229.211.60
13.229.211.60
[ec2-user@ip ~]$ curl -I $FQDN
HTTP/1.1 403 Forbidden
Date: Mon, 23 Dec 2024 05:44:42 GMT
Server: Apache/2.4.62 () OpenSSL/1.0.2k-fips
Upgrade: h2,h2c
Connection: Upgrade
Last-Modified: Tue, 13 Aug 2024 20:15:43 GMT
ETag: "e2e-61f96462a59c0"
Accept-Ranges: bytes
Content-Length: 3630
Content-Type: text/html; charset=UTF-8
Request and install HTTPS cert
sudo certbot --apache
Enter valid email address, agree to Let's Encrypt Terms of Service, optionally subscribe to EFF mailing list, input your FQDN, to have Certbot request and install HTTPS certificate on your Apache server.
Using Certbot with Nginx web server
Replace al2.example.com below with your domain name.
Install and Configure Nginx
FQDN=al2.example.com
sudo amazon-linux-extras install -y nginx1
sudo sed -i "s/server_name _;/server_name $FQDN;/g" /etc/nginx/nginx.conf
sudo nginx -t
sudo systemctl enable nginx
sudo systemctl start nginx
Certbot uses Nginx Server Names to identify web sites and install certificates.
Verify DNS entry and web server configuration
FQDN=al2.example.com
curl checkip.amazonaws.com && dig +short $FQDN
curl -I $FQDN
Ensure that both IP addresses matches and curl command works. Output should be similar to below
[ec2-user@ip ~]$ FQDN=al2.example.com
[ec2-user@ip ~]$ curl checkip.amazonaws.com && dig +short $FQDN
13.229.112.86
13.229.112.86
[ec2-user@ip ~]$ curl -I $FQDN
HTTP/1.1 200 OK
Server: nginx/1.22.1
Date: Thu, 26 Dec 2024 14:22:13 GMT
Content-Type: text/html
Content-Length: 615
Last-Modified: Tue, 27 Aug 2024 13:55:08 GMT
Connection: keep-alive
ETag: "66cddabc-267"
Accept-Ranges: bytes
Request and install HTTPS cert
sudo certbot --nginx
Enter valid email address, agree to Let's Encrypt Terms of Service, optionally subscribe to EFF mailing list, to have Certbot request and install HTTPS certificate on your Nginx server.
Verify website
Browse to your web site to verify that HTTPS certificate is installed.
More information
Refer to Certbot User Guide
- Language
- English
Relevant content
- asked 6 years ago
