Use Certbot to enable HTTPS on Ubuntu Linux EC2 instances running Apache or Nginx

6 minute read

Content level: Intermediate

Install Certbot on EC2 instances running Ubuntu Linux, use it to request and install domain validated (DV) certificate on either Apache or Nginx web server, with automated renewal

Overview

Certbot is a tool to obtain free SSL/TLS certificates from Let's Encrypt and (optionally) auto-enable HTTPS on your server.

This article shows how to install Certbot on Amazon EC2 instances running Ubuntu Linux on AWS, use it to install domain validated HTTPS certificate (using HTTP-01 challenge type) on either Apache or Nginx web server, with automated cert renewal.

Note: this article applies to Ubuntu Linux only. Similar articles are available for AL2023 and AL2

Other options

You can use Amazon CloudFront global content delivery network (CDN) with EC2 instance as origin, to get a domain name such as d111111abcdef8.cloudfront.net with HTTPS. CloudFront supports custom domain name with non-exportable public SSL/TLS certificates through AWS Certificate Manager at no additional charge. Consider flat-rate pricing plans which combines CloudFront with multiple AWS services and features into a monthly price with no overage charges.

If you wish to use AWS Certificate Manager (ACM) certs with your EC2 instance, refer to Why can't I configure ACM certificates for my website hosted on an EC2 instance?. As of June 2025, AWS Certificate Manager introduces exportable public SSL/TLS certificates to use anywhere. Refer to AWS Certificate Manager pricing for pricing.

Requirements

Ensure that you have

a FQDN (fully qualified domain name) whose DNS entry resolves to your EC2 instance public internet IP address.
- If you do not have a domain, you can register a new domain using Amazon Route 53 and create a DNS A record.
- To prevent EC2 public IPv4 address from changing, you can associate an Elastic IP address
security group attached to your EC2 instance that allows inbound HTTP and HTTPS from internet.

Certbot supports IPv4 and IPv6 domain names.

The script examples below assumes IPv4-only FQDN of ubuntu.example.com . Do adjust accordingly

Install Certbot

Install Certbot through Snap

sudo snap install certbot --classic
sudo ln -s -f /snap/bin/certbot /usr/bin/certbot
sudo snap set certbot trust-plugin-with-root=ok
sudo snap install certbot-dns-route53

Using Certbot with Apache web server

Replace ubuntu.example.com below with your domain name.

Install and Configure Apache

sudo apt update
sudo apt install -y apache2
sudo a2enmod ssl
sudo a2ensite default-ssl
sudo systemctl enable --now apache2

Verify DNS entry and web server configuration

FQDN=ubuntu.example.com
curl checkip.amazonaws.com && dig +short $FQDN
curl -I $FQDN

Ensure that both IP addresses match and curl command works. Output should be similar to below

[ubuntu@ip ~]$ FQDN=ubuntu.example.com
[ubuntu@ip ~]$ curl checkip.amazonaws.com && dig +short $FQDN
52.169.14.9
52.169.14.9
[ubuntu@ip ~]$ curl -I $FQDN
HTTP/1.1 200 OK
Date: Sat, 24 Jan 2026 06:06:19 GMT
Server: Apache/2.4.58 (Ubuntu)
Last-Modified: Sat, 24 Jan 2026 06:05:22 GMT
ETag: "29af-6491c0f2983ed"
Accept-Ranges: bytes
Content-Length: 10671
Vary: Accept-Encoding
Content-Type: text/html

Request and install HTTPS cert

sudo certbot --apache

Agree to Let's Encrypt Terms of Service, input your FQDN, to have Certbot request and install HTTPS certificate on your Apache server.

Certbot Apache Ubuntu

Using Certbot with Nginx web server

Replace ubuntu.example.com below with your domain name.

Install and Configure Nginx

sudo apt update
sudo apt install -y nginx
sudo systemctl enable --now nginx

Verify DNS entry and web server configuration

FQDN=ubuntu.example.com
curl checkip.amazonaws.com && dig +short $FQDN
curl -I $FQDN

Ensure that both IP addresses match and curl command works. Output should be similar to below

[ec2-user@ip ~]$ FQDN=ubuntu.example.com
[ec2-user@ip ~]$ curl checkip.amazonaws.com && dig +short $FQDN
18.139.110.156
18.139.110.156
[ec2-user@ip ~]$ curl -I $FQDN
HTTP/1.1 200 OK
Server: nginx/1.24.0 (Ubuntu)
Date: Fri, 23 Jan 2026 16:14:16 GMT
Content-Type: text/html
Content-Length: 615
Last-Modified: Fri, 23 Jan 2026 16:14:01 GMT
Connection: keep-alive
ETag: "69739e49-267"
Accept-Ranges: bytes

Request and install HTTPS cert

sudo certbot --nginx

Agree to Let's Encrypt Terms of Service, enter your FQDN, to have Certbot request and install HTTPS certificate on your Nginx server.

Certbot Nginx Ubuntu

Verification

Verify certificate

To display information about certificates you have from Certbot

sudo certbot certificates

Output should be similar to below

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: ubuntu.example.com
    Serial Number: 5d732a9a5bfab1246f5bc522708419267aa
    Key Type: ECDSA
    Identifiers: ubuntu.example.com
    Expiry Date: 2026-04-11 17:17:31+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/ubuntu.example.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/ubuntu.example.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Verify installation

Browse to your web site to verify that HTTPS certificate is installed.

Automated Renewal

Certbot use snap.certbot.renew.timer systemd daily for automated renewal of any certificate 30 days before their expiry dates. To verify operation

journalctl -u snap.certbot.renew.timer -f

Output should be similar to below

-- Boot 420bd33d89e6466096c537018e36f7c1 --
Jan 22 08:07:15 ip-10-0-101-51 systemd[1]: Started Timer renew for snap application certbot.renew.
Jan 24 05:28:40 ip-10-0-101-51 systemd[1]: snap.certbot.renew.timer: Deactivated successfully.
Jan 24 05:28:40 ip-10-0-101-51 systemd[1]: Stopped Timer renew for snap application certbot.renew.
-- Boot 3c00977e496d4d81943d573f8f84c7fe --
Jan 24 05:29:04 ip-10-0-101-51 systemd[1]: Started Timer renew for snap application certbot.renew.

More information

Refer to Certbot User Guide

Multiple domains on a single certificate

Certbot supports multiple domains on a single cert. You will need to modify your Apache or Nginx website configuration.

For Apache, update VirtualHost section with appropriate ServerName and ServerAlias

<VirtualHost *:80>
    ServerName example.com
    ServerAlias www.example.com

For Nginx, update server section with appropriate server_name

server {
    server_name  example.com www.example.com;

For each domain name, create a DNS record that resolves to your EC2 instance public IP address. Restart Apache/Nginx before running Certbot.

Refer to Certbot documentation and Get Help page for more information.

Topics: Compute Networking & Content Delivery
Tags: Amazon Route 53 Amazon EC2
Language: English

EXPERT

MikeLim

published 5 months ago389 views

No comments

Relevant content

Use Certbot to enable HTTPS on Amazon Linux 2 (AL2) EC2 instances running Apache or Nginx
EXPERT
MikeLim
published 2 years ago
Use Certbot to enable HTTPS on Amazon Linux 2023 (AL2023) EC2 instances running Apache or Nginx
EXPERT
MikeLim
published a year ago
Install Certbot on Amazon Linux 2023 (AL2023)
EXPERT
MikeLim
published 2 months ago
install a HTTPS website on an amazon linux EC2 with Terraform
rePost-User-5795007
asked 2 years ago
Install SSL on Ipv4 EC2 Ubuntu
rePost-User-3843146
asked 2 years ago
Errors with AWS Let's Encrypt with Certbot on Amazon Linux 2 tutorial
jwbrown83
asked 5 years ago
How do I install the Certbot package in my Lightsail instance for Let's Encrypt certificate installation?
AWS OFFICIALUpdated 2 years ago
How do I install an SSL/TLS certificate for my website on my Amazon EC2 Linux Ubuntu instance?
AWS OFFICIALUpdated a year ago
How can I use launch templates to automatically install the CodeDeploy agent on an Amazon EC2 instance running Amazon Linux or Ubuntu?
AWS OFFICIALUpdated 2 years ago
How do I install an SSL/TLS certificate for my NGINX server on Amazon Linux?
AWS OFFICIALUpdated 2 years ago