How to install SSL certificate for Nginx server in Amazon Linux

This tutorial will help you to configure HTTPS to secure your website using a free SSL certificate authority (CA) letsencrypt for the nginx server in Amazon Linux. Before you begin you must have set up a domain name in your EC2 console to point to the public DNS.

We will be using certbot and Amazon Linux AMI with the user name ec2-user.

Here are the steps:

• Go to home/ec2-user

- cd /home/ec2-user

• Install certbot-auto

• Change the permission of certbot-auto

- chmod a+x ./certbot-auto

• Generate certificate

- ./certbot-auto certonly --standalone --debug -d yourdomain.com

Fill in the information asked like your email address. If this is successful, you’ll get a message like:

- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/yourdomain.com/fullchain.pem. Your cert will
expire on yyyy-mm-dd. To obtain a new version of the certificate in
the future, simply run Certbot again.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt:   
Donating to EFF:                    
IMPORTANT NOTES:- Congratulations! Your certificate and chain have been saved at/etc/letsencrypt/live//fullchain.pem. Your cert willexpire on. To obtain a new version of the certificate inthe future, simply run Certbot again.- If you like Certbot, please consider supporting our work by:Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le 

You can verify that the certificate and keys exist:

# Certificate
/etc/letsencrypt/live/yourdomain.com/ /cert.pem
# Full Chain 
/etc/letsencrypt/live/yourdomain.com/ /fullchain.pem
# Private Key 
/etc/letsencrypt/live/yourdomain.com/ /privkey.pem

• Modify nginx configuration

Now you’ve got the certificate, we need to configure the nginx for it to take up HTTPS requests.

Open /etc/nginx/nginx.conf and modify:

...
http {
  ...
  
 server {
       listen 80;
       server_name yourdomain.com;

         # Automatically route HTTP to HTTPS
               return 301 
       }
}
location /{# Automatically route HTTP to HTTPSreturn 301 https://$server_name$request_uri 
server {
    listen 443 ssl;
    server_name yourdomain.com;
    ssl_certificate "/etc/letsencrypt/live/yourdomain.com/fullchain.pem";
    ssl_certificate_key "/etc/letsencrypt/live/yourdomain.com/privkey.pem";
    
    add_header Strict-Transport-Security "max-age=31536000";
    #other headers
    location / {
      autoindex on;
      root /yourdomain.com/build/; #root path of your domain's index file
      index index.html;
      try_files $uri $uri/ /index.html;
    }
  }
}

Now, you can start/restart the nginx server.

- sudo service nginx restart

Note that the certificate expires in 3 months, you can set up a cron job to automatically renew it. Sample cron job:

Add cron job to renew certificate like:
0 8 28 */3 * /home/ec2-user/certbot-auto renew
10 8 28 */3 * service nginx restart
# Runs at 8AM on 28th of every third month 
If renew fails, then stop nginx and do the renew process again