How to install SSL certificate for Nginx server in Amazon Linux
How to install SSL certificate for Nginx server in Amazon Linux
This tutorial will help you to configure HTTPS to secure your website using a free SSL certificate authority (CA) letsencrypt for the nginx
server in Amazon Linux. Before you begin you must have set up a domain name in your EC2 console to point to the public DNS.
We will be using certbot and Amazon Linux AMI with the user name ec2-user.
Here are the steps:
- Go to home/ec2-user
- cd /home/ec2-user
- Install certbot-auto
- Change the permission of certbot-auto
- chmod a+x ./certbot-auto
- Generate certificate
- ./certbot-auto certonly --standalone --debug -d yourdomain.com
Fill in the information asked like your email address. If this is successful, you’ll get a message like:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/yourdomain.com/fullchain.pem. Your cert will
expire on yyyy-mm-dd. To obtain a new version of the certificate in
the future, simply run Certbot again.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt:
Donating to EFF: IMPORTANT NOTES:- Congratulations! Your certificate and chain have been saved at/etc/letsencrypt/live//fullchain.pem. Your cert willexpire on. To obtain a new version of the certificate inthe future, simply run Certbot again.- If you like Certbot, please consider supporting our work by:Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
You can verify that the certificate and keys exist:
# Certificate
/etc/letsencrypt/live/yourdomain.com/ /cert.pem# Full Chain
/etc/letsencrypt/live/yourdomain.com/ /fullchain.pem# Private Key
/etc/letsencrypt/live/yourdomain.com/ /privkey.pem
- Modify
nginx
configuration
Now you’ve got the certificate, we need to configure the nginx
for it to take up HTTPS requests.
Open /etc/nginx/nginx.conf
and modify:
...
http {
...
server {
listen 80;
server_name yourdomain.com;
# Automatically route HTTP to HTTPS
return 301
}
}location /{# Automatically route HTTP to HTTPSreturn 301 https://$server_name$request_uri
server {
listen 443 ssl;
server_name yourdomain.com;
ssl_certificate "/etc/letsencrypt/live/yourdomain.com/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/yourdomain.com/privkey.pem";
add_header Strict-Transport-Security "max-age=31536000";
#other headerslocation / {
autoindex on;
root /yourdomain.com/build/; #root path of your domain's index file
index index.html;
try_files $uri $uri/ /index.html;
}
}
}
Now, you can start/restart the nginx
server.
- sudo service nginx restart
Note that the certificate expires in 3 months, you can set up a cron job to automatically renew it. Sample cron job:
Add cron job to renew certificate like:
0 8 28 */3 * /home/ec2-user/certbot-auto renew
10 8 28 */3 * service nginx restart
# Runs at 8AM on 28th of every third month
If renew fails, then stop nginx and do the renew process again