Install Let’sEncrypt ssl certificate in nginx hosted on Amazon Linux

If you need ssl certificate for only single EC2 instance, you need to use ELB to use AWS issued free certificate manager, which incurs ~$20 monthly cost. An alternative is to install free certificate by Let’sEncrypt on the nginx hosted on EC2 instance.

Here are the steps for that:

  1. Get letsencrypt

    git clone https://github.com/letsencrypt/letsencrypt && cd letsencrypt/

  2. Create a config file  for certificate request, so you can reuse that


    # File: /etc/letsencrypt/config.ini
    # the domain we want to get the cert for
    domains = yourdomain.com

    # key size
    rsa-key-size = 4096

    # this address will receive renewal reminders, IIRC
    email = email@yourdomain.com

    # turn off the ncurses UI, we want this to be run as a cronjob
    text = True

    # authenticate by placing a file in the webroot (under .well-known/acme-challenge/) and then letting
    # LE fetch it
    authenticator = webroot
    webroot-path = /var/www/html

  3. Now create the certificate by requesting to letsencrypt, it will validate your domain by placing some file in your webroot-path, that has been mentioned in config file

sudo ./letsencrypt-auto --config /etc/letsencrypt/config.ini certonly -d yourdomain.com"

4 files will be created in location: /etc/letsencrypt/live/yourdomain.com/

  • cert.pem: Your domain’s certificate
  • chain.pem: The Let’s Encrypt chain certificate
  • fullchain.pem: cert.pem and chain.pem combined
  • privkey.pem: Your certificate’s private key

You shall need the last two file for your nginx configuration.

4. Now change your nginx config file

# File: /etc/nginx/nginx.conf

# Settings for a TLS enabled server.

  server {

        listen *:443 ssl;

        server_name yourdomain.com;

        root         /var/www/html;

        ssl on;

        ssl_certificate  "/etc/letsencrypt/live/yourdomain.com/fullchain.pem";

        ssl_certificate_key "/etc/letsencrypt/live/yourdomain.com/privkey.pem";

      # It is *strongly* recommended to generate unique DH parameters

      # Generate them with: openssl dhparam -out /etc/letsencrypt/dhparams.pem 2048

      ssl_dhparam "/etc/letsencrypt/dhparams.pem";

      ssl_session_cache shared:SSL:1m;

      ssl_session_timeout  10m;

      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

      ssl_ciphers HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP;

      ssl_prefer_server_ciphers on;

      # Load configuration files for the default server block.

      include /etc/nginx/default.d/*.conf;

      location / {

        root /var/www/html/yourdomain;

      }

      error_page 404 /404.html;

          location = /40x.html {

      }

      error_page 500 502 503 504 /50x.html;

          location = /50x.html {

      }

  }

And don't forget to forward http request to https:

server {
listen 80 default_server;
listen [::]:80 default_server;
rewrite ^ https://$server_name$request_uri? permanent;

5. Reload nginx

sudo service nginx reload

now you should be ok with https://yourdomain.com

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s