Step-by-Step Guide: Install Let’s Encrypt SSL on Nginx (Amazon Linux 2023)

🌐 What is SSL?
SSL (Secure Sockets Layer) is a security protocol that encrypts communication between a web browser and a server.

• All data transmitted between the browser and the server is encrypted.
• Users’ personal data, passwords, and credit card details are protected.
• The 🔒 lock symbol in the browser address bar indicates a secure connection.
• Google and other search engines provide SEO advantages to HTTPS websites.

🔑 What is Let’s Encrypt?
Let’s Encrypt is a free and open Certificate Authority (CA).

• It provides free SSL/TLS certificates for websites.
• Instead of manual installation, certificates can be installed with a single command using the Certbot tool.
• Certificates are valid for 90 days and can be automatically renewed with auto-renew.

👉 In short, Let’s Encrypt makes it possible to secure your website at zero cost.

🎯 What Will We Do in This Lab?

• Install Nginx Web Server on Amazon Linux 2023.
• Add a free SSL certificate using Let’s Encrypt (Certbot).
• Configure automatic renewal via Cron or systemd timer.
• Test HTTPS in the browser.

1️⃣ Launching an EC2 Instance

• Go to Services → EC2 → Instances → Launch instances.

Name and tags:

• Name: Nginx_Web

Application and OS Images (AMI):

• Quick Start → Amazon Linux 2023 (kernel-6.1)

• Instance type: t2.micro

• Key Pair (login):
• Create new key pair → Key pair name: ec2_ssh_key
• Type: RSA, File format: .pem → Create and select

Save the key file on your computer

Network settings → Edit:

• VPC: Default
• Subnet: Default
• Auto-assign public IP: Enable

Firewall (SG): Create a new security group

• Security group name: Nginx-Web_SG
• Description: Security group for Nginx

Rules:

• SSH → Source: Anywhere (0.0.0.0/0)
• HTTP → Source: Anywhere (0.0.0.0/0)
• HTTPS → Source: Anywhere (0.0.0.0/0)

Click Launch instance and wait until the instance is in running state.

2️⃣ Assigning an Elastic IP

Since this server will act as a web server, we need a static IP:

• Go to Network & Security → Elastic IPs → Allocate Elastic IP.

Click Allocate to assign a static public IP.

• Go to Elastic IP addresses → Actions → Associate Elastic IP address.

• Resource type: instance
• Instance: Nginx_Web

Click Associate to attach the static IP.

✅ The Elastic IP is now associated with your server. Even after reboot, the server will always start with the same IP.

3️⃣ Connecting to the Server

Set permissions for the key file:

chmod 400 ec2_ssh_key.pem

Connect via SSH:

ssh -i ec2_ssh_key.pem ec2-user@34.202.44.116

4️⃣ Installing Nginx

sudo dnf install -y nginx
sudo systemctl enable --now nginx
systemctl status nginx

Nginx is ready. Now we’ll install the packages needed for SSL.

5️⃣ Installing Certbot (SSL)

sudo dnf install -y certbot python3-certbot-nginx

DNS Settings

We must configure DNS records so that our domain points to the server IP.

• Domain: devopsatolyesi.com and www.devopsatolyesi.com
• Server IP: 34.202.44.116

Since DNS is managed via Cloudflare, add the following records:

For devopsatolyesi.com:

• Type: A
• Name: devopsatolyesi.com
• IPv4 address: 34.202.44.116
• Proxy status: off
• TTL: 2 min

For www.devopsatolyesi.com:

• Type: A
• Name: www.devopsatolyesi.com
• IPv4 address: 34.202.44.116
• Proxy status: off
• TTL: 2 min

✅ Verify DNS:

nslookup www.devopsatolyesi.com
nslookup devopsatolyesi.com

Test in the browser — the site loads but SSL is not yet active.

6️⃣ Nginx Server Block (Host) Configuration

Certbot requires a proper server_name configuration.

sudo nano /etc/nginx/conf.d/devopsatolyesi.conf

Add:

server {
    listen 80;
    server_name devopsatolyesi.com www.devopsatolyesi.com;

    root /usr/share/nginx/html;
    index index.html;

    location / {
        try_files $uri $uri/ =404;
    }
}

Test and restart Nginx:

sudo nginx -t
sudo systemctl restart nginx

7️⃣ Obtaining the SSL Certificate

Run Certbot to request a certificate:

sudo certbot --nginx -d devopsatolyesi.com -d www.devopsatolyesi.com

• Enter your email and accept the agreement (yes).
• Decline promotional emails (no).

✅ Certificate issued. You can now verify via browser.

8️⃣ Certificate Renewal (Auto-Renew)

Let’s Encrypt certificates are valid for 90 days. To enable auto-renew:

By default, the cronie (cron service) package is not installed on Amazon Linux 2023. This means the crontab command is also not available.

Install Cron

sudo dnf install -y cronie

Enable and Start Service

sudo systemctl enable --now crond
systemctl status crond

It should show Active (running).

Add Cron Job

crontab -e

Add:

0 2 * * * root /usr/bin/certbot renew --quiet

Save and exit.

🧹 Cleanup

• Terminate EC2
• Release Elastic IP