How to use Certbot to enable HTTPS with Apache or Nginx on EC2 instances running Amazon Linux 2023 (AL2023) ?

7 minute read
Content level: Intermediate
2

Install Certbot on EC2 instances running AL2023 (Amazon Linux 2023), use it to request and install Let's Encrypt SSL/TLS certificate on either Apache or Nginx web server, with automated renewal

Overview

Certbot is a tool to obtain SSL/TLS certificates from Let's Encrypt and (optionally) auto-enable HTTPS on your server.

This article shows how to install Certbot on Amazon EC2 instances running Amazon Linux 2023 (AL2023), use it to enable HTTPS (using HTTP-01 challenge type) on either Apache or Nginx web server, with automated cert renewal.

Other options

If you wish to use AWS Certificate Manager (ACM) certs, refer to Why can't I configure ACM certificates for my website hosted on an EC2 instance? for available options.

Another option is to use Amazon CloudFront with VPC Origin to your EC2 instance.

Requirements

Ensure that you have

The script examples below will use FQDN of al2023.example.com. Do adjust accordingly

Install Certbot

sudo dnf install -y certbot python3-certbot-dns-route53 python3-certbot-apache python3-certbot-nginx
sudo systemctl daemon-reload
sudo systemctl enable --now certbot-renew.timer

Using Certbot with Apache web server

Replace al2023.example.com below with your domain name.

Install and Configure Apache

sudo dnf install -y httpd mod_ssl
sudo tee /etc/httpd/conf.d/www.conf > /dev/null << EOF
<VirtualHost *:80>
  ServerAdmin webmaster@localhost
  DocumentRoot /var/www/html
</VirtualHost>
EOF

sudo systemctl enable --now httpd

Certbot uses Apache Virtual Hosts to identify web sites and install certs.

Verify DNS entry and web server configuration

FQDN=al2023.example.com
curl checkip.amazonaws.com && dig +short $FQDN
curl -I $FQDN

Ensure that both IP addresses matches and curl command works. Output should be similar to below

[ec2-user@ip ~]$ FQDN=al2023.example.com
[ec2-user@ip ~]$ curl checkip.amazonaws.com && dig +short $FQDN
54.169.194.19
54.169.194.19
[ec2-user@ip ~]$ curl -I $FQDN
HTTP/1.1 403 Forbidden
Date: Thu, 02 Jan 2025 08:57:53 GMT
Server: Apache/2.4.62 (Amazon Linux) OpenSSL/3.0.8
Last-Modified: Mon, 11 Jun 2007 18:53:14 GMT
ETag: "2d-432a5e4a73a80"
Accept-Ranges: bytes
Content-Length: 45
Content-Type: text/html; charset=UTF-8

Request and install HTTPS cert

sudo certbot --apache

Enter valid email address, agree to Let's Encrypt Terms of Service, optionally subscribe to EFF mailing list, input your FQDN, to have Certbot request and install HTTPS certificate on your Apache server.

Certbot with Apache on AL2023

Using Certbot with Nginx web server

Replace al2023.example.com below with your domain name.

Install and Configure Nginx

FQDN=al2023.example.com

sudo dnf install -y nginx
sudo sed -i "s/server_name  _;/server_name  $FQDN;/g" /etc/nginx/nginx.conf
sudo nginx -t
sudo systemctl enable --now nginx

Certbot uses Nginx Server Names to identify web sites and install certificates.

Verify DNS entry and web server configuration

FQDN=al2023.example.com
curl checkip.amazonaws.com && dig +short $FQDN
curl -I $FQDN

Ensure that both IP addresses matches and curl command works. Output should be similar to below

[ec2-user@ip ~]$ FQDN=al2023.example.com
[ec2-user@ip ~]$ curl checkip.amazonaws.com && dig +short $FQDN
18.139.110.156
18.139.110.156
[ec2-user@ip ~]$ curl -I $FQDN
HTTP/1.1 200 OK
Server: nginx/1.26.2
Date: Thu, 02 Jan 2025 09:09:26 GMT
Content-Type: text/html
Content-Length: 615
Last-Modified: Tue, 22 Oct 2024 19:09:19 GMT
Connection: keep-alive
ETag: "6717f85f-267"
Accept-Ranges: bytes

Request and install HTTPS cert

sudo certbot --nginx

Enter valid email address, agree to Let's Encrypt Terms of Service, optionally subscribe to EFF mailing list, to have Certbot request and install HTTPS certificate on your Nginx server.

Certbot with Nginx on AL2023

Verification

Verify certificate

To display information about certificates you have from Certbot

sudo certbot certificates

Display cert info

Verify installation

Browse to your web site to verify that HTTPS certificate is installed.

Browser verification

Automated Renewal

Certbot use certbot-renew systemd daily for automated renewal of any certificate 30 days before their expiry dates. To verify certbot-renew operation

journalctl -u certbot-renew -f

No renewal

If certificate is yet to expire, output should contain the following snippets of text

Oct 08 11:26:10... systemd[1]: Starting certbot-renew.service - This service automatically renews any certbot certificates found...
Oct 08 11:26:11... certbot[279708]: Saving debug log to /var/log/letsencrypt/letsencrypt.log
Oct 08 11:26:11... certbot[279708]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Oct 08 11:26:11... certbot[279708]: Processing /etc/letsencrypt/renewal/al2023.example.com.conf
Oct 08 11:26:11... certbot[279708]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Oct 08 11:26:11... certbot[279708]: Certificate not yet due for renewal
Oct 08 11:26:11... certbot[279708]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Oct 08 11:26:11... certbot[279708]: The following certificates are not due for renewal yet:
Oct 08 11:26:11... certbot[279708]:   /etc/letsencrypt/live/al2023.example.com/fullchain.pem expires on 2024-11-07 (skipped)
Oct 08 11:26:11... certbot[279708]: No renewals were attempted.
Oct 08 11:26:11... certbot[279708]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Oct 08 11:26:12... systemd[1]: certbot-renew.service: Deactivated successfully.
Oct 08 11:26:12... systemd[1]: Finished certbot-renew.service - This service automatically renews any certbot certificates found.

Renewal

For certs that are renewed

Oct 08 13:15:30... systemd[1]: Starting certbot-renew.service - This service automatically renews any certbot certificates found...
Oct 08 13:15:31... certbot[286750]: Saving debug log to /var/log/letsencrypt/letsencrypt.log
Oct 08 13:15:31... certbot[286750]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Oct 08 13:15:31... certbot[286750]: Processing /etc/letsencrypt/renewal/al2023.example.com.conf
Oct 08 13:15:31... certbot[286750]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Oct 08 13:15:32... certbot[286750]: Renewing an existing certificate for al2023.example.com
Oct 08 13:16:10... certbot[286750]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Oct 08 13:16:10... certbot[286750]: Congratulations, all renewals succeeded:
Oct 08 13:16:10... certbot[286750]:   /etc/letsencrypt/live/al2023.example.com/fullchain.pem (success)
Oct 08 13:16:10... certbot[286750]: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Oct 08 13:16:11... systemd[1]: certbot-renew.service: Deactivated successfully.
Oct 08 13:16:11... systemd[1]: Finished certbot-renew.service - This service automatically renews any certbot certificates found.
Oct 08 13:16:11... systemd[1]: certbot-renew.service: Consumed 1.373s CPU time.

More information

Refer to Certbot User Guide

Multiple domains on a single certificate

Certbot supports multiple domains on a single cert. You will need to modify your Apache or Nginx website configuration.

For Apache, update VirtualHost section with appropriate ServerName and ServerAlias

<VirtualHost *:80>
    ServerName example.com
    ServerAlias www.example.com

For Nginx, update server section with appropriate server_name

server {
    server_name  example.com www.example.com;

For each domain name, create a DNS record that resolves to your EC2 instance public IP address. Restart Apache/Nginx before running Certbot.

Refer to Certbot documentation and Get Help page for more information.

AWS
EXPERT
published 2 months ago555 views