Securing Your Web Server with Let's Encrypt and Certbot on Amazon Linux 2023
Gaurav Chopra
Co-Founder : Eightgen AI Services | Transforming businesses with AI | Build intelligent agents, RAG apps & offer LLM expertise and trainings | Former Amazon AWS, Walmart
In today’s digital age, securing your web server with an SSL/TLS certificate is not just recommended; it’s essential. An SSL certificate encrypts data between your server and its users, safeguarding sensitive information from prying eyes. This guide will walk you through obtaining a free SSL certificate from Let's Encrypt for an Nginx web server running on Amazon Linux 2023, and setting up automatic renewal with Certbot.
Prerequisites
Step 1: Installing Certbot
Certbot is a free, open-source software tool for automatically using Let's Encrypt certificates. Although Certbot’s package might not be directly available in Amazon Linux 2023 repositories, we can easily install it using pip, Python’s package installer.
First, ensure pip is installed:
sudo dnf install python3-pip
Note : Sometimes we have python installed and virtual environment created for our cloud app hosted on AWS. So we can skip this step
Then, install Certbot and the Nginx plugin:
sudo pip3 install certbot certbot-nginx
If you get error saying pip3 not found then go to your python's virtual env bin folder and run this command from there.
Step 2: Obtaining Your SSL Certificate
With Certbot installed, obtaining and installing an SSL certificate for your domain is straightforward:
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com
Replace yourdomain.com with your actual domain name. Follow the prompts to complete the installation. Certbot will modify your Nginx configuration automatically to use the SSL certificate.
Immediately After Installing the SSL Certificate
Once the SSL certificate is installed, it's important to ensure that Nginx starts using it without delay. This requires reloading the Nginx configuration:
sudo systemctl reload nginx
Step 3: Verifying Auto-Renewal with a Dry Run
Let’s Encrypt certificates are valid for 90 days, but Certbot simplifies the renewal process. To test that automatic renewal is set up correctly, perform a dry run:
领英推荐
sudo certbot renew --dry-run
If you see no errors, you’re all set for automatic renewals.
Step 4: Setting Up Systemd Timer for Auto-Renewal
Although Certbot attempts to set up auto-renewal, I prefer to have more direct control using a systemd timer.
Creating the Service File
Create a file named certbot-renew.service in /etc/systemd/system/ with the following content:
[Unit]
Description=Certbot Renewal
[Service]
Type=oneshot
ExecStart=/usr/bin/certbot renew --quiet --deploy-hook "sudo systemctl reload nginx"
This path "/usr/bin/certbot" will be specific to where you installed certbot in the second step.
This service runs the Certbot renew command, including a deploy-hook to reload Nginx only if a certificate is renewed, ensuring your web server uses the new certificates immediately.
Creating the Timer File
Next, create a timer file named certbot-renew.timer in the same directory:
[Unit]
Description=Timer for Certbot Renewal
[Timer]
OnCalendar=daily
Persistent=true
[Install]
WantedBy=timers.target
This timer triggers the service daily, ensuring your certificates are always up to date.
Enabling the Timer
Enable and start the timer:
sudo systemctl daemon-reload
sudo systemctl enable certbot-renew.timer
sudo systemctl start certbot-renew.timer
Check the timer’s status:
systemctl list-timers
Conclusion
You now have a secure Nginx server on Amazon Linux 2023, protected by an SSL certificate from Let's Encrypt, with a robust auto-renewal system in place. This setup not only boosts your site's security but also its credibility and search engine ranking.
Security is an ongoing journey, and staying informed and proactive is key to safeguarding your digital assets. Happy securing!
#websecurity #letsencrypt #sslcertificate