SET Up SSL with PHP 8 and Nginx in AWS

What is Let’s Encrypt?

Let’s Encrypt is a non-profit certificate authority run by Internet Security Research Group that provides X.509 certificates for Transport Layer Security encryption at no charge. It launched on April 12, 2016. Let’s Encrypt certificates are valid for 90 days, during which renewal can take place at any time.

How to Install Let’s Encrypt on Amazon Linux 2?

At first, you need to create an instance with base AMI as Amazon Linux 2. Amazon Linux 2 is the next-generation Amazon Linux operating system. It provides a high-performance, stable, and secure execution environment for cloud and enterprise applications. Amazon Linux 2 will offer extended availability of software updates for the core operating system through 5 years of long-term support and provides access to the latest software packages through the Amazon Linux Extras repository.

In this instance creation process put this code in the user data section. This will help you to run this code when a new instance is created. You don’t need to run it manually if you put this in the user data section.

#!/bin/bash
sudo yum update -y
sudo groupadd www
sudo amazon-linux-extras install nginx1
sudo amazon-linux-extras enable php8.0
sudo yum clean metadata
sudo yum install php php-cli php-mysqlnd php-pdo php-common php-fpm -y
sudo yum install php-gd php-mbstring php-xml php-dom php-intl php-simplexml -y
sudo systemctl start nginx 
sudo systemctl enable nginx
sudo systemctl start php-fpm
sudo systemctl enable php-fpm
sudo yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
sudo yum-config-manager --enable epel
sudo yum install certbot python2-certbot-nginx -y

This preconfigured script will automatically install Nginx, PHP 8, and Certbot into your Amazon Linux 2 instance.

Next, create a virtual host server block in Nginx. An example is given below. A detailed article is available on Nginx Server Here.

# Expires map
map $sent_http_content_type $expires {
    default                    off;
    text/html                  epoch;
    text/css                   max;
    application/javascript     max;
    ~image/                    max;
}

server {
    listen 80;
    server_name www.knifetours.com;
    rewrite ^ $scheme://knifetours.com$request_uri?;
}

server {
    listen 80;
    server_name knifetours;
    
    root /var/www/knifetours;
    index index.php;
    charset UTF-8;

 expires $expires;

# Enable Gzip
  gzip  on;
  gzip_http_version 1.0;
  gzip_comp_level 2;
  gzip_min_length 1100;
  gzip_buffers     4 8k;
  gzip_proxied any;
  gzip_types
    # text/html is always compressed by HttpGzipModule
    text/css
    text/javascript
    text/xml
    text/plain
    text/x-component
    application/javascript
    application/json
    application/xml
    application/rss+xml
    font/truetype
    font/opentype
    application/vnd.ms-fontobject
    image/svg+xml;

  gzip_static on;

  gzip_proxied        expired no-cache no-store private auth;
  gzip_disable        "MSIE [1-6]\.";
  gzip_vary           on;
    
    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    location / {
                             
            try_files $uri $uri/ /index.php?$args;
    }

    location ~ \.php$ {
        try_files $uri =404;

        include fastcgi_params;
        fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_index index.php;
        
        fastcgi_pass  unix:/var/run/php-fpm/www.sock;            
        
        fastcgi_cache_valid any 30m;
    }
}

Open a configuration file for the Nginx server block and paste the content which is given above along with your domain name.

sudo vi /etc/nginx/conf.d/website.conf

Restart the Nginx for the change to take effect

sudo systemctl restart nginx 

Now use Certbot to issue an SSL certificate

sudo certbot --nginx

To renew the Certificate automatically you need to set a cronjob via crontab. The commands are given below.

sudo crontab -e

After running this command, you will see a new blank screen for editing. Over there you need to give the commands which need to be executed and also time and free frequency.

0 3 * * * sudo certbot renew >/dev/null 2>&1

The command above will run this renewal command every day morning at 3 AM.

I created a full video as well so that you can see how I can run those commands.

Conclusion

We hope this article and tutorial have been helpful! Leave a comment below with any questions you might have. If you want to learn more about how we can help your business, please visit our website or reach out on social media! Thank you for reading and happy coding 🙂

Related Articles

Gadgets For Tech People

Hunting Knives

Atiqur Rahman

I am MD. Atiqur Rahman graduated from BUET and is an AWS-certified solutions architect. I have successfully achieved 6 certifications from AWS including Cloud Practitioner, Solutions Architect, SysOps Administrator, and Developer Associate. I have more than 8 years of working experience as a DevOps engineer designing complex SAAS applications.

This Post Has 3 Comments

  1. Jeremy Schoemaker

    Hey my man thanks for the great vids. Check out using route-53 doing cert only and pasting them in. Works great expecially since you can reuse them or make them even for another box.

  2. Luis Alonso

    Hello, I followed this to the letter and I’m getting improper redirect error, I google the hell out of this but can’t figure it out, maybe there is something wrong with the config?

    Thank you for the great work.

  3. Waqas

    Hi Atiq,
    Good video. However, I have a little different situation. I have 2 EC2 Instances running.
    One has Docker with Hasura running and I have had installed SSL on that with domain pointed to AWS DNS records. My Domain is from GoDaddy.

    Another EC2 instance is running Nginx with .net core api. Now, I am stuck as I have to make this EC2 SSL enabled also. I need to understand do I need to create new Cert from Let’s encryot for same domain on this EC2 instance via terminal? Or what will happen if my existing EC2 instance that has SSL enabled done already. Not expert and thought to ask you some guidance after reading and watching your Tutorial video,
    Please reach to me for this simple help.

Leave a Reply