Certbot is an ACME client which enables HTTPS on your website deploying Let’s Encrypt certificates. Let’s Encrypt is a free, automated, and openCertificate Authority.
To know more about Let’s Encrypt, visit https://letsencrypt.org/getting-started/ and for Certbot, visit https://certbot.eff.org/
Let’s set it up with nginx on Amazon Linux by following steps.
- Create an EC2 instance on AWS
- Install Certbot
- Install Nginx
- Configure Domain
- Run Certbot
- Modify Nginx Configuration
Create an EC2 instance on AWS
I’m skipping this part. Just make sure that the port 443(SSL) and 22(SSH) is open and you have SSH access.
Install Certbot
$ ssh -i ~/.ssh/my-aws.pem ec2-user@xxx.xxx.xxx.xxx $ curl -O https://dl.eff.org/certbot-auto $ chmod +x certbot-auto $ sudo mv certbot-auto /usr/local/bin/certbot-auto
Install Nginx
$ sudo yum install nginx -y # Nginx must be stopped during Certbot installation $ sudo service nginx stop
Configure Domain
Configure your domain to point to the EC2 instance. You can do it with Route53 or any other domain registrars. I’m skipping this part as well.
Run Certbot
# become a root user $ sudo su - # Amazon Linux support is currently experimental, so don't forget to add "--debug" option. This will update the script itself when you run it for the first time $ certbot-auto certonly --standalone -d example.com --debug # Follow the prompts and finally, you'll get a message like following IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/example.com/fullchain.pem. Your cert will expire on yyyy-mm-dd. To obtain a new version of the certificate in the future, simply run Certbot again. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Modify Nginx Configuration
Assuming you want to redirect all HTTP requests to HTTPS. Open your nginxconfig file. It may be located in different path based on your OS and settings, but usually located on etc/nginx/nginx.conf.
$ cd /etc/nginx $ cp nginx.conf nginx.conf.org $ vi nginx.conf
Change the file as follows. Use `ssl_certificate` and `ssl_certificate_key`, got from previous step.
server {
listen 80;
server_name example.com;
# Redirect all http requests to https
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
# add Strict-Transport-Security to prevent man in the middle attacks
add_header Strict-Transport-Security "max-age=31536000" always;
[....]
}
Restart nginx after the change.
$ service nginx start
Now open https://example.com and check that it’s actually working!
[To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew"]
