This tutorial will help you to configure HTTPS to secure your website using a free SSL certificate authority (CA) letsencrypt for the nginx
server in Amazon Linux. Before you begin you must have set up a domain name in your EC2 console to point to the public DNS.
We will be using certbot and Amazon Linux AMI with the user name ec2-user.
Here are the steps:
- cd /home/ec2-user
- wget https://dl.eff.org/certbot-auto
- chmod a+x ./certbot-auto
- ./certbot-auto certonly --standalone --debug -d yourdomain.com
Fill in the information asked like your email address. If this is successful, you’ll get a message like:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/yourdomain.com/fullchain.pem. Your cert will
expire on yyyy-mm-dd. To obtain a new version of the certificate in
the future, simply run Certbot again.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
You can verify that the certificate and keys exist:
## Certificate
/etc/letsencrypt/live/yourdomain.com//cert.pem
## Full Chain
/etc/letsencrypt/live/yourdomain.com//fullchain.pem
## Private Key
/etc/letsencrypt/live/yourdomain.com//privkey.pem
**nginx**
configurationNow you’ve got the certificate, we need to configure the nginx
for it to take up HTTPS requests.
Open /etc/nginx/nginx.conf
and modify:
...
http {
...
server {
listen 80;
server_name yourdomain.com;
location /{
## Automatically route HTTP to HTTPS
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl;
server_name yourdomain.com;
ssl_certificate "/etc/letsencrypt/live/yourdomain.com/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/yourdomain.com/privkey.pem";
add_header Strict-Transport-Security "max-age=31536000";
#other headers
location / {
autoindex on;
root /yourdomain.com/build/; #root path of your domain's index file
index index.html;
try_files $uri $uri/ /index.html;
}
}
}
Now, you can start/restart the nginx
server.
- sudo service nginx restart
Note that the certificate expires in 3 months, you can set up a cron job to automatically renew it. Sample cron job:
Add cron job to renew certificate like:
0 8 28 */3 * /home/ec2-user/certbot-auto renew
10 8 28 */3 * service nginx restart
## Runs at 8AM on 28th of every third month
If renew fails, then stop nginx and do the renew process again
#lets-encrypt #nginx #aws #https #certbot #linux