Adding Free SSL Certificate and HTTPS to Nginx on Amazon Linux with Let's Encrypt and Certbot

#

​Certbot is an ACME client which enables HTTPS on your website deploying Let’s Encrypt certificates. Let’s Encrypt is a free, automated, and openCertificate Authority.

To know more about Let’s Encrypt, visit https://letsencrypt.org/getting-started/ and for Certbot, visit https://certbot.eff.org/

Let’s set it up with nginx on Amazon Linux by following steps.

  • Create an EC2 instance on AWS
  • Install Certbot
  • Install Nginx
  • Configure Domain
  • Run Certbot
  • Modify Nginx Configuration

Create an EC2 instance on AWS

I’m skipping this part. Just make sure that the port 443(SSL) and 22(SSH) is open and you have SSH access.

Install Certbot

$ ssh -i ~/.ssh/my-aws.pem ec2-user@xxx.xxx.xxx.xxx
$ curl -O https://dl.eff.org/certbot-auto
$ chmod +x certbot-auto
$ sudo mv certbot-auto /usr/local/bin/certbot-auto 

Install Nginx

$ sudo yum install nginx -y
# Nginx must be stopped during Certbot installation
$ sudo service nginx stop 

Configure Domain

Configure your domain to point to the EC2 instance. You can do it with Route53 or any other domain registrars. I’m skipping this part as well.

Run Certbot

# become a root user
$ sudo su -

# Amazon Linux support is currently experimental, so don't forget to add "--debug" option. This will update the script itself when you run it for the first time
$ certbot-auto certonly --standalone -d example.com --debug

# Follow the prompts and finally, you'll get a message like following

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/example.com/fullchain.pem. Your cert will
   expire on yyyy-mm-dd. To obtain a new version of the certificate in
   the future, simply run Certbot again.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

https-screenshot-1.png

https-screenshot-2.png

Modify Nginx Configuration

Assuming you want to redirect all HTTP requests to HTTPS. Open your nginxconfig file. It may be located in different path based on your OS and settings, but usually located on etc/nginx/nginx.conf.

$ cd /etc/nginx
$ cp nginx.conf nginx.conf.org
$ vi nginx.conf

Change the file as follows. Use `ssl_certificate` and `ssl_certificate_key`, got from previous step.

server {
       listen         80;
       server_name    example.com;
       # Redirect all http requests to https
       return         301 https://$server_name$request_uri;
}

server {
       listen         443 ssl;
       server_name    example.com;
       ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem;
       ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
       # add Strict-Transport-Security to prevent man in the middle attacks
       add_header Strict-Transport-Security "max-age=31536000" always; 

       [....]
}

Restart nginx after the change.

$ service nginx start

Now open https://example.com and check that it’s actually working!

[To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew"]


コメント欄を読み込み中