Monthly Archives: May 2017

Install Let’sEncrypt ssl certificate in nginx hosted on Amazon Linux

If you need ssl certificate for only single EC2 instance, you need to use ELB to use AWS issued free certificate manager, which incurs ~$20 monthly cost. An alternative is to install free certificate by Let’sEncrypt on the nginx hosted on EC2 instance.

Here are the steps for that:

  1. Get letsencrypt

    git clone && cd letsencrypt/

  2. Create a config file  for certificate request, so you can reuse that

    # File: /etc/letsencrypt/config.ini
    # the domain we want to get the cert for
    domains =

    # key size
    rsa-key-size = 4096

    # this address will receive renewal reminders, IIRC
    email =

    # turn off the ncurses UI, we want this to be run as a cronjob
    text = True

    # authenticate by placing a file in the webroot (under .well-known/acme-challenge/) and then letting
    # LE fetch it
    authenticator = webroot
    webroot-path = /var/www/html

  3. Now create the certificate by requesting to letsencrypt, it will validate your domain by placing some file in your webroot-path, that has been mentioned in config file

sudo ./letsencrypt-auto --config /etc/letsencrypt/config.ini certonly -d"

4 files will be created in location: /etc/letsencrypt/live/

  • cert.pem: Your domain’s certificate
  • chain.pem: The Let’s Encrypt chain certificate
  • fullchain.pem: cert.pem and chain.pem combined
  • privkey.pem: Your certificate’s private key

You shall need the last two file for your nginx configuration.

4. Now change your nginx config file

# File: /etc/nginx/nginx.conf

# Settings for a TLS enabled server.

  server {

        listen *:443 ssl;


        root         /var/www/html;

        ssl on;

        ssl_certificate  "/etc/letsencrypt/live/";

        ssl_certificate_key "/etc/letsencrypt/live/";

      # It is *strongly* recommended to generate unique DH parameters

      # Generate them with: openssl dhparam -out /etc/letsencrypt/dhparams.pem 2048

      ssl_dhparam "/etc/letsencrypt/dhparams.pem";

      ssl_session_cache shared:SSL:1m;

      ssl_session_timeout  10m;

      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;


      ssl_prefer_server_ciphers on;

      # Load configuration files for the default server block.

      include /etc/nginx/default.d/*.conf;

      location / {

        root /var/www/html/yourdomain;


      error_page 404 /404.html;

          location = /40x.html {


      error_page 500 502 503 504 /50x.html;

          location = /50x.html {



And don't forget to forward http request to https:

server {
listen 80 default_server;
listen [::]:80 default_server;
rewrite ^ https://$server_name$request_uri? permanent;

5. Reload nginx

sudo service nginx reload

now you should be ok with