Secure Your AWS EC2 Site for Free: Step-by-Step SSL Setup with Certbot and Cron Jobs!

Vivekumar08
5 min readJun 22, 2024

--

Photo by Markus Winkler on Unsplash

Hey there, web adventurer! 🖐️ Are you looking to secure your website with a shiny SSL certificate without breaking the bank? You’ve come to the right place. This guide will show you how to get free SSL certificates for your AWS EC2 instance using Certbot, and even better, we’ll set up a cron job to keep that certificate renewed automatically. Let’s dive in!

What’s SSL and Why Should You Care?

SSL (Secure Socket Layer) is like a safety net for your website. It encrypts data between your site and its visitors, making sure everything is safe from prying eyes. You know that little padlock icon in the address bar? Yeah, that’s SSL in action. It’s crucial for trust and security — and it’s also great for SEO.

Here’s What You Need

Before we get rolling, here’s the quick checklist:

  • An AWS EC2 instance (running something like Ubuntu or CentOS).
  • A domain name pointing to your EC2 instance.
  • SSH access to your instance.
  • Root or sudo privileges to install software and configure your server.

Got all that? Awesome! Let’s get started.

Step 1: SSH into Your EC2 Instance

First things first, we need to get inside your EC2 instance. Open your terminal or command prompt and run:

ssh -i /path/to/your-key.pem ec2-user@your-ec2-instance-ip

Replace /path/to/your-key.pem with the path to your SSH key and your-ec2-instance-ip with your EC2 instance’s IP address. You’ll be connected to your server in no time.

Step 2: Install Certbot

Certbot is like your magical wizard for SSL certificates. It’s a free, open-source tool that gets your SSL certs from Let’s Encrypt. Depending on your Linux flavor, you’ll install it slightly differently.

For Ubuntu:

sudo apt update
sudo apt-get install certbot

For CentOs:

sudo yum update
sudo yum install epel-release
sudo yum install certbot

Step 3: Add the Web Server Plugin

Certbot needs a little help to talk to your web server. If you’re using Nginx or Apache, there’s a plugin for that. Let’s install the right one for your server.

For Nginx on Ubuntu:

sudo apt install python3-certbot-nginx

For Apache on Ubuntu:

sudo apt install python3-certbot-apache

On CentOS, swap apt for yum in the above commands.

Step 4: Grab Your SSL Certificate

Time to get that free SSL certificate! Certbot will handle the heavy lifting and even configure your web server for you.

For Nginx:

sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

For Apache:

sudo certbot --apache -d yourdomain.com -d www.yourdomain.com

Replace yourdomain.com with your actual domain. Certbot will take care of the rest. You’ll be asked a few questions and then—voilà!—SSL is set up.

When you run Certbot, it’s like having a helpful guide walking you through the SSL setup for your website. First, it’ll ask for your email address so you can get reminders when it’s time to renew your certificate. Then, you’ll need to agree to the terms of service. No worries — it’s quick and easy. Certbot even takes care of the heavy lifting by tweaking your Nginx/Apache settings to turn on SSL. Just follow the prompts, and you’ll be secure in no time!

Step 5: Verify SSL Configuration

After Certbot has fetched your SSL certificate, it usually updates your Nginx configuration automatically. However, it’s always a good idea to double-check that everything is set up correctly.

Open your Nginx configuration file. This might vary depending on your setup, but a common location is:

sudo nano /etc/nginx/sites-available/default

Look for a section that starts with server {. Within this section, you should see SSL directives like:

server {
listen 443 ssl; # or 'listen 443 ssl http2;' for HTTP/2
server_name yourdomain.com www.yourdomain.com;
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
# Your other configurations…
}

Make sure the ssl_certificate and ssl_certificate_key paths point to the correct files generated by Certbot.

For Apache:

Open your Apache SSL configuration file. This is often located in the sites-available directory. You might be using a file like default-ssl.conf or a custom file for your domain:

sudo nano /etc/apache2/sites-available/000-default-le-ssl.conf

Look for the <VirtualHost *:443> section. It should include the SSL directives:

<VirtualHost *:443>
ServerName yourdomain.com
ServerAlias www.yourdomain.com

SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/yourdomain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

# Your other configurations...
</VirtualHost>

Ensure the SSLCertificateFile and SSLCertificateKeyFile paths are correct.

Step 6: Test Nginx Configuration

Before we restart Nginx, let’s test the configuration to catch any syntax errors or misconfigurations. Run the following command:

sudo nginx -t

If everything is configured correctly, you should see a message like nginx: configuration file /etc/nginx/nginx.conf test is successful.

For Apache:

sudo apachectl configtest

You should see a message like Syntax OK if everything is correct.

Step 7: Restart Nginx

Assuming the test was successful, restart Nginx/Apache to apply the changes:

For Nginx:

sudo systemctl restart nginx

For Apache:

sudo systemctl reload apache2

And that’s it! Your SSL configuration for Nginx should now be up and running smoothly.

Step 8: Check Out Your New SSL

Hop over to your browser and visit your domain. See that padlock icon next to your URL? That’s your SSL certificate doing its job. High five! 🖐️

Photo by krakenimages on Unsplash

Step 9: Set Up Auto-Renewal with Cron

Here’s the thing: Let’s Encrypt certificates last for 90 days. But don’t worry, Certbot can renew them automatically. We’ll set up a cron job to make sure this happens like clockwork.

  1. Open your crontab editor:
sudo crontab -e

2. Add the following line to the crontab file to schedule the Certbot renewal for the first day of each month at midnight:

0 0 1 * * /usr/bin/certbot renew --quiet

3. Save and exit the editor (for nano, press CTRL + X, then Y, and ENTER).

With this cron job, Certbot will attempt to renew your SSL certificate on the first day of every month. The --quiet flag ensures it runs silently unless there is an error, making it perfect for automation.

Why Monthly Renewal?

While Let’s Encrypt certificates are valid for 90 days, renewing them monthly ensures that if anything goes wrong, you have ample time to fix it before the certificate expires. It’s a good balance between keeping your certificates up to date and not overloading your system with too frequent renewals.

Step 10: Test Your Setup

Let’s make sure everything’s good to go. Certbot has a --dry-run option to test the renewal process without actually renewing the certificate:

sudo certbot renew --dry-run

If you don’t see any errors, you’re golden!

You’re All Set!

And there you have it! You’ve got your free SSL certificate, it’s automatically renewing, and your site is now a secure haven for your visitors. 💻🔒

A Few Handy Tips

  1. Check Your Ports: Make sure ports 80 (HTTP) and 443 (HTTPS) are open in your EC2 security group.
  2. DNS Setup: Verify that your domain’s DNS records point to your EC2 instance’s IP.
  3. Troubleshooting: If something goes wrong with the renewal, check the logs at /var/log/letsencrypt/.

SSL certificates don’t just secure your website — they make it more trustworthy and boost your SEO game. So, kudos to you for making this move!

Got questions or run into any snags? Feel free to ask. Happy securing! 🚀

--

--

Vivekumar08
Vivekumar08

Written by Vivekumar08

A passionate Developer with innovative ideas into reality. With an experience in the MERN stack and cutting-edge Nextjs technology, dynamic approach to web dev.

Responses (1)