What is Let’s Encrypt?
Let’s Encrypt is a non-profit certificate authority run by Internet Security Research Group that provides X.509 certificates for Transport Layer Security encryption at no charge. It launched on April 12, 2016. Let’s Encrypt certificates are valid for 90 days, during which renewal can take place at any time.
How to Install Let’s Encrypt on Amazon Linux 2?
At first, you need to create an instance with base AMI as Amazon Linux 2. Amazon Linux 2 is the next-generation Amazon Linux operating system. It provides a high-performance, stable, and secure execution environment for cloud and enterprise applications. Amazon Linux 2 will offer extended availability of software updates for the core operating system through 5 years of long-term support and provides access to the latest software packages through the Amazon Linux Extras repository.
In this instance creation process put this code in the user data section. This will help you to run this code when a new instance is created. You don’t need to run it manually if you put this in the user data section.
#!/bin/bash
sudo yum update -y
sudo groupadd www
sudo amazon-linux-extras install nginx1
sudo amazon-linux-extras enable php8.0
sudo yum clean metadata
sudo yum install php php-cli php-mysqlnd php-pdo php-common php-fpm -y
sudo yum install php-gd php-mbstring php-xml php-dom php-intl php-simplexml -y
sudo systemctl start nginx
sudo systemctl enable nginx
sudo systemctl start php-fpm
sudo systemctl enable php-fpm
sudo yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
sudo yum-config-manager --enable epel
sudo yum install certbot python2-certbot-nginx -y
This preconfigured script will automatically install Nginx, PHP 8, and Certbot into your Amazon Linux 2 instance.
Next, create a virtual host server block in Nginx. An example is given below. A detailed article is available on Nginx Server Here.
# Expires map
map $sent_http_content_type $expires {
default off;
text/html epoch;
text/css max;
application/javascript max;
~image/ max;
}
server {
listen 80;
server_name www.knifetours.com;
rewrite ^ $scheme://knifetours.com$request_uri?;
}
server {
listen 80;
server_name knifetours;
root /var/www/knifetours;
index index.php;
charset UTF-8;
expires $expires;
# Enable Gzip
gzip on;
gzip_http_version 1.0;
gzip_comp_level 2;
gzip_min_length 1100;
gzip_buffers 4 8k;
gzip_proxied any;
gzip_types
# text/html is always compressed by HttpGzipModule
text/css
text/javascript
text/xml
text/plain
text/x-component
application/javascript
application/json
application/xml
application/rss+xml
font/truetype
font/opentype
application/vnd.ms-fontobject
image/svg+xml;
gzip_static on;
gzip_proxied expired no-cache no-store private auth;
gzip_disable "MSIE [1-6]\.";
gzip_vary on;
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
try_files $uri =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_index index.php;
fastcgi_pass unix:/var/run/php-fpm/www.sock;
fastcgi_cache_valid any 30m;
}
}
Open a configuration file for the Nginx server block and paste the content which is given above along with your domain name.
sudo vi /etc/nginx/conf.d/website.conf
Restart the Nginx for the change to take effect
sudo systemctl restart nginx
Now use Certbot to issue an SSL certificate
sudo certbot --nginx
To renew the Certificate automatically you need to set a cronjob via crontab. The commands are given below.
sudo crontab -e
After running this command, you will see a new blank screen for editing. Over there you need to give the commands which need to be executed and also time and free frequency.
0 3 * * * sudo certbot renew >/dev/null 2>&1
The command above will run this renewal command every day morning at 3 AM.
I created a full video as well so that you can see how I can run those commands.
Conclusion
We hope this article and tutorial have been helpful! Leave a comment below with any questions you might have. If you want to learn more about how we can help your business, please visit our website or reach out on social media! Thank you for reading and happy coding 🙂
Related Articles
Hey my man thanks for the great vids. Check out using route-53 doing cert only and pasting them in. Works great expecially since you can reuse them or make them even for another box.
Hello, I followed this to the letter and I’m getting improper redirect error, I google the hell out of this but can’t figure it out, maybe there is something wrong with the config?
Thank you for the great work.
Hi Atiq,
Good video. However, I have a little different situation. I have 2 EC2 Instances running.
One has Docker with Hasura running and I have had installed SSL on that with domain pointed to AWS DNS records. My Domain is from GoDaddy.
Another EC2 instance is running Nginx with .net core api. Now, I am stuck as I have to make this EC2 SSL enabled also. I need to understand do I need to create new Cert from Let’s encryot for same domain on this EC2 instance via terminal? Or what will happen if my existing EC2 instance that has SSL enabled done already. Not expert and thought to ask you some guidance after reading and watching your Tutorial video,
Please reach to me for this simple help.