Share Your AWS re:Post Experience - Quick 3 Question Survey
Help us improve AWS re:Post! We're interested in understanding how you use re:Post and its impact on your AWS journey. Please take a moment to complete our brief 3-question survey.
How to use Certbot to enable HTTPS with Apache or Nginx on EC2 instances running Amazon Linux 2023 (AL2023) ?
Install Certbot on EC2 instances running AL2023 (Amazon Linux 2023), use it to request and install Let's Encrypt SSL/TLS certificate on either Apache or Nginx web server, with automated renewal
Overview
Certbot is a tool to obtain SSL/TLS certificates from Let's Encrypt and (optionally) auto-enable HTTPS on your server.
This article shows how to install Certbot on Amazon EC2 instances running Amazon Linux 2023 (AL2023), use it to enable HTTPS (using HTTP-01 challenge type) on either Apache or Nginx web server, with automated cert renewal.
Other options
If you wish to use AWS Certificate Manager (ACM) certs, refer to Why can't I configure ACM certificates for my website hosted on an EC2 instance? for available options.
Another option is to use Amazon CloudFront with VPC Origin to your EC2 instance.
Requirements
Ensure that you have
- a FQDN (fully qualified domain name) whose DNS entry resolves to your EC2 instance public internet IP address.
- If you do not have a domain, you can register a new domain using Amazon Route 53 and create a DNS A record.
- To prevent EC2 public IPv4 address from changing, you can associate an Elastic IP address
- security group attached to your EC2 instance that allows inbound
HTTP
andHTTPS
from internet.
The script examples below will use FQDN of al2023.example.com
. Do adjust accordingly
Install Certbot
sudo dnf install -y certbot python3-certbot-dns-route53 python3-certbot-apache python3-certbot-nginx
sudo systemctl daemon-reload
sudo systemctl enable --now certbot-renew.timer
Using Certbot with Apache web server
Replace al2023.example.com
below with your domain name.
Install and Configure Apache
sudo dnf install -y httpd mod_ssl
sudo tee /etc/httpd/conf.d/www.conf > /dev/null << EOF
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
</VirtualHost>
EOF
sudo systemctl enable --now httpd
Certbot uses Apache Virtual Hosts to identify web sites and install certs.
Verify DNS entry and web server configuration
FQDN=al2023.example.com
curl checkip.amazonaws.com && dig +short $FQDN
curl -I $FQDN
Ensure that both IP addresses matches and curl command works. Output should be similar to below
[ec2-user@ip ~]$ FQDN=al2023.example.com
[ec2-user@ip ~]$ curl checkip.amazonaws.com && dig +short $FQDN
54.169.194.19
54.169.194.19
[ec2-user@ip ~]$ curl -I $FQDN
HTTP/1.1 403 Forbidden
Date: Thu, 02 Jan 2025 08:57:53 GMT
Server: Apache/2.4.62 (Amazon Linux) OpenSSL/3.0.8
Last-Modified: Mon, 11 Jun 2007 18:53:14 GMT
ETag: "2d-432a5e4a73a80"
Accept-Ranges: bytes
Content-Length: 45
Content-Type: text/html; charset=UTF-8
Request and install HTTPS cert
sudo certbot --apache
Enter valid email address, agree to Let's Encrypt Terms of Service, optionally subscribe to EFF mailing list, input your FQDN, to have Certbot request and install HTTPS certificate on your Apache server.
Using Certbot with Nginx web server
Replace al2023.example.com
below with your domain name.
Install and Configure Nginx
FQDN=al2023.example.com
sudo dnf install -y nginx
sudo sed -i "s/server_name _;/server_name $FQDN;/g" /etc/nginx/nginx.conf
sudo nginx -t
sudo systemctl enable --now nginx
Certbot uses Nginx Server Names to identify web sites and install certificates.
Verify DNS entry and web server configuration
FQDN=al2023.example.com
curl checkip.amazonaws.com && dig +short $FQDN
curl -I $FQDN
Ensure that both IP addresses matches and curl command works. Output should be similar to below
[ec2-user@ip ~]$ FQDN=al2023.example.com
[ec2-user@ip ~]$ curl checkip.amazonaws.com && dig +short $FQDN
18.139.110.156
18.139.110.156
[ec2-user@ip ~]$ curl -I $FQDN
HTTP/1.1 200 OK
Server: nginx/1.26.2
Date: Thu, 02 Jan 2025 09:09:26 GMT
Content-Type: text/html
Content-Length: 615
Last-Modified: Tue, 22 Oct 2024 19:09:19 GMT
Connection: keep-alive
ETag: "6717f85f-267"
Accept-Ranges: bytes
Request and install HTTPS cert
sudo certbot --nginx
Enter valid email address, agree to Let's Encrypt Terms of Service, optionally subscribe to EFF mailing list, to have Certbot request and install HTTPS certificate on your Nginx server.
Verification
Verify certificate
To display information about certificates you have from Certbot
sudo certbot certificates
Verify installation
Browse to your web site to verify that HTTPS certificate is installed.
Automated Renewal
Certbot use certbot-renew
systemd daily for automated renewal of any certificate 30 days before their expiry dates. To verify certbot-renew operation
journalctl -u certbot-renew -f
No renewal
If certificate is yet to expire, output should contain the following snippets of text
Oct 08 11:26:10... systemd[1]: Starting certbot-renew.service - This service automatically renews any certbot certificates found...
Oct 08 11:26:11... certbot[279708]: Saving debug log to /var/log/letsencrypt/letsencrypt.log
Oct 08 11:26:11... certbot[279708]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Oct 08 11:26:11... certbot[279708]: Processing /etc/letsencrypt/renewal/al2023.example.com.conf
Oct 08 11:26:11... certbot[279708]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Oct 08 11:26:11... certbot[279708]: Certificate not yet due for renewal
Oct 08 11:26:11... certbot[279708]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Oct 08 11:26:11... certbot[279708]: The following certificates are not due for renewal yet:
Oct 08 11:26:11... certbot[279708]: /etc/letsencrypt/live/al2023.example.com/fullchain.pem expires on 2024-11-07 (skipped)
Oct 08 11:26:11... certbot[279708]: No renewals were attempted.
Oct 08 11:26:11... certbot[279708]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Oct 08 11:26:12... systemd[1]: certbot-renew.service: Deactivated successfully.
Oct 08 11:26:12... systemd[1]: Finished certbot-renew.service - This service automatically renews any certbot certificates found.
Renewal
For certs that are renewed
Oct 08 13:15:30... systemd[1]: Starting certbot-renew.service - This service automatically renews any certbot certificates found...
Oct 08 13:15:31... certbot[286750]: Saving debug log to /var/log/letsencrypt/letsencrypt.log
Oct 08 13:15:31... certbot[286750]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Oct 08 13:15:31... certbot[286750]: Processing /etc/letsencrypt/renewal/al2023.example.com.conf
Oct 08 13:15:31... certbot[286750]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Oct 08 13:15:32... certbot[286750]: Renewing an existing certificate for al2023.example.com
Oct 08 13:16:10... certbot[286750]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Oct 08 13:16:10... certbot[286750]: Congratulations, all renewals succeeded:
Oct 08 13:16:10... certbot[286750]: /etc/letsencrypt/live/al2023.example.com/fullchain.pem (success)
Oct 08 13:16:10... certbot[286750]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Oct 08 13:16:11... systemd[1]: certbot-renew.service: Deactivated successfully.
Oct 08 13:16:11... systemd[1]: Finished certbot-renew.service - This service automatically renews any certbot certificates found.
Oct 08 13:16:11... systemd[1]: certbot-renew.service: Consumed 1.373s CPU time.
More information
Refer to Certbot User Guide
Multiple domains on a single certificate
Certbot supports multiple domains on a single cert. You will need to modify your Apache or Nginx website configuration.
For Apache, update VirtualHost
section with appropriate ServerName and ServerAlias
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
For Nginx, update server
section with appropriate server_name
server {
server_name example.com www.example.com;
For each domain name, create a DNS record that resolves to your EC2 instance public IP address. Restart Apache/Nginx before running Certbot.
Refer to Certbot documentation and Get Help page for more information.
Relevant content
- asked a year agolg...
- asked 5 months agolg...
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 5 months ago