Free HTTPS certificates with Let’s Encrypt on your Amazon EC2 NGINX box

Let’s Encrypt is a new Certificate Authority which provides free SSL certificates (up to a certain limit per week). It came out of beta around a month back and is supported by a wide array of browsers.

Certbot is the official Let’s Encrypt client, developed by the Electronic Frontier Foundation. It makes automatically fetching and deploying SSL/TLS certificates for your web server a relatively straight forward process.

Lets get started.

Step #1

Make sure that you have opened up ports 80 (HTTP) and 443 (HTTPS) in your instance Security Group to public. Certbot will use this to establish connections while generating your certificates.

Note that I spent far too much time to figure out why I couldn’t generate a certificate, while the only issue was that I hadn’t opened up port 443 in my EC2 instance Security Group.

Step #2

Install Certbot on your instance. Based on your operating system and server, you can find out how to install it on Certbot’s homepage. For NGINX on Ubuntu 14.04, use this.

chmod a+x certbot-auto

Step #3

Stop any existing servers running on the port 80 and 443, since those are used by Certbot to verify your domain and generate certificates.

You can restart those servers once you have finished generating the certificates.

Step #4

Run the following command to generate certificates for your domain:

./certbot-auto certonly --standalone -d

You can generate certificates for multiple domains using this approach.

Step #5

Change your NGINX configuration in /etc/nginx/nginx.conf to enable SSL:

http {
  # Logging Settings
  access_log /var/log/nginx/access.log;
  error_log /var/log/nginx/error.log;
  server {
    listen 80;
    location / {
      # Redirect any http requests to https
      return 301 https://$server_name$request_uri;
  server {
    listen 443 ssl;
    ssl_certificate /etc/letsencrypt/live/;
    ssl_certificate_key /etc/letsencrypt/live/;
    add_header Strict-Transport-Security “max-age=31536000”;
    location / {

The Strict-Transport-Security (HSTS) header ensures that any internal links that are not HTTPS will automatically be routed to the HTTPS version during a HTTPS session.

Step #6

Lastly, reload your NGINX configuration:

sudo service nginx reload

Congratulations! Your site is now successfully running on HTTPS.

NOTE: Let’s Encrypt certificates are only valid for 3 months after issue. So every 3 months, renewal is required. Here’s how you can automate this using a cron job.

Source :

Leave a Reply