DIY Free SSL Letsencrypt EC2 Linux Nginx

 

This tutorial will help you to configure HTTPS to secure your website using a free SSL certificate authority (CA) letsencrypt for the nginx server in Amazon Linux. Before you begin you must have set up a domain name in your EC2 console to point to the public DNS.

We will be using certbot and Amazon Linux AMI with the user name ec2-user.

Here are the steps:

• Go to home/ec2-user

- cd /home/ec2-user

• Install certbot-auto

- wget https://dl.eff.org/certbot-auto

• Change the permission of certbot-auto

- chmod a+x ./certbot-auto

• Generate certificate

- ./certbot-auto certonly --standalone --debug -d yourdomain.com

Fill in the information asked like your email address. If this is successful, you’ll get a message like:

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/yourdomain.com/fullchain.pem. Your cert will
expire on yyyy-mm-dd. To obtain a new version of the certificate in
the future, simply run Certbot again.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
Donating to EFF:                    https://eff.org/donate-le

You can verify that the certificate and keys exist:

# Certificate
/etc/letsencrypt/live/yourdomain.com//cert.pem# Full Chain 
/etc/letsencrypt/live/yourdomain.com//fullchain.pem# Private Key 
/etc/letsencrypt/live/yourdomain.com//privkey.pem

• Modify nginx configuration

Now you’ve got the certificate, we need to configure the nginx for it to take up HTTPS requests.

Open /etc/nginx/nginx.conf and modify:

...
http {
  ...
  
 server {
       listen 80;
       server_name yourdomain.com;       location /{
         # Automatically route HTTP to HTTPS
               return 301 https://$server_name$request_uri;
       }
}server {
    listen 443 ssl;
    server_name yourdomain.com;
    ssl_certificate "/etc/letsencrypt/live/yourdomain.com/fullchain.pem";
    ssl_certificate_key "/etc/letsencrypt/live/yourdomain.com/privkey.pem";
    
    add_header Strict-Transport-Security "max-age=31536000";
    #other headers    location / {
      autoindex on;
      root /yourdomain.com/build/; #root path of your domain's index file
      index index.html;
      try_files $uri $uri/ /index.html;
    }
  }
}

Now, you can start/restart the nginx server.

- sudo service nginx restart

Note that the certificate expires in 3 months, you can set up a cron job to automatically renew it. Sample cron job:

Add cron job to renew certificate like:0 8 28 */3 * /home/ec2-user/certbot-auto renew10 8 28 */3 * service nginx restart# Runs at 8AM on 28th of every third month If renew fails, then stop nginx and do the renew process again

Possible errors that can occur when generating a certificate and how to fix it

• If you get error like this:

Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 7, in <module>
    from certbot.main import main
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/certbot/main                             .py", line 10, in <module>
    import josepy as jose
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/__ini                             t__.py", line 44, in <module>
    from josepy.interfaces import JSONDeSerializable
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/inter                             faces.py", line 8, in <module>
    from josepy import errors, util
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/josepy/util.                             py", line 4, in <module>
    import OpenSSL
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/__in                             it__.py", line 8, in <module>
    from OpenSSL import rand, crypto, SSL
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/rand                             .py", line 12, in <module>
    from OpenSSL._util import (
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/dist-packages/OpenSSL/_uti                             l.py", line 6, in <module>
    from cryptography.hazmat.bindings.openssl.binding import Binding
ImportError: No module named cryptography.hazmat.bindings.openssl.binding

then run the following commands:

§  rm -rf /opt/eff.org§  pip install -U certbot

and again run the command to generate certificate:

- ./certbot-auto certonly --standalone --debug -d yourdomain.com

• Upgrade pip if there is a warning

you will see the command in console: pip install pip — upgrade
pip install virtualenv –upgrade

• If you get an error like this

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for yourdomain.com
Cleaning up challenges
Exiting abnormally:
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main                             .py", line 1364, in main
    return config.func(config, plugins)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main                             .py", line 1249, in certonly
...

then stop nginx and run the command again:

- ./certbot-auto certonly --standalone --debug -d yourdomain.com

References

• https://coderwall.com/p/e7gzbq/https-with-certbot-for-nginx-on-amazon-linux
• https://certbot.eff.org/
• https://crontab.guru/#0_8_28_*/3_*