Securing Your Web Server with Let's Encrypt and Certbot on Amazon Linux 2023

In today’s digital age, securing your web server with an SSL/TLS certificate is not just recommended; it’s essential. An SSL certificate encrypts data between your server and its users, safeguarding sensitive information from prying eyes. This guide will walk you through obtaining a free SSL certificate from Let's Encrypt for an Nginx web server running on Amazon Linux 2023, and setting up automatic renewal with Certbot.

Prerequisites

• A running Amazon Linux 2023 instance
• A registered domain name pointing to your server
• Nginx installed and serving your site
• Root or sudo access on your server

Step 1: Installing Certbot

Certbot is a free, open-source software tool for automatically using Let's Encrypt certificates. Although Certbot’s package might not be directly available in Amazon Linux 2023 repositories, we can easily install it using pip, Python’s package installer.

First, ensure pip is installed:

sudo dnf install python3-pip        

Note : Sometimes we have python installed and virtual environment created for our cloud app hosted on AWS. So we can skip this step

Then, install Certbot and the Nginx plugin:

sudo pip3 install certbot certbot-nginx        

If you get error saying pip3 not found then go to your python's virtual env bin folder and run this command from there.

Step 2: Obtaining Your SSL Certificate

With Certbot installed, obtaining and installing an SSL certificate for your domain is straightforward:

sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com        

Replace yourdomain.com with your actual domain name. Follow the prompts to complete the installation. Certbot will modify your Nginx configuration automatically to use the SSL certificate.

Immediately After Installing the SSL Certificate

Once the SSL certificate is installed, it's important to ensure that Nginx starts using it without delay. This requires reloading the Nginx configuration:

sudo systemctl reload nginx        

Step 3: Verifying Auto-Renewal with a Dry Run

Let’s Encrypt certificates are valid for 90 days, but Certbot simplifies the renewal process. To test that automatic renewal is set up correctly, perform a dry run:

sudo certbot renew --dry-run        

If you see no errors, you’re all set for automatic renewals.

Step 4: Setting Up Systemd Timer for Auto-Renewal

Although Certbot attempts to set up auto-renewal, I prefer to have more direct control using a systemd timer.

Creating the Service File

Create a file named certbot-renew.service in /etc/systemd/system/ with the following content:

[Unit]
Description=Certbot Renewal

[Service]
Type=oneshot
ExecStart=/usr/bin/certbot renew --quiet --deploy-hook "sudo systemctl reload nginx"        

This path "/usr/bin/certbot" will be specific to where you installed certbot in the second step.

This service runs the Certbot renew command, including a deploy-hook to reload Nginx only if a certificate is renewed, ensuring your web server uses the new certificates immediately.

Creating the Timer File

Next, create a timer file named certbot-renew.timer in the same directory:

[Unit]
Description=Timer for Certbot Renewal

[Timer]
OnCalendar=daily
Persistent=true

[Install]
WantedBy=timers.target        

This timer triggers the service daily, ensuring your certificates are always up to date.

Enabling the Timer

Enable and start the timer:

sudo systemctl daemon-reload
sudo systemctl enable certbot-renew.timer
sudo systemctl start certbot-renew.timer        

Check the timer’s status:

systemctl list-timers        

Conclusion

You now have a secure Nginx server on Amazon Linux 2023, protected by an SSL certificate from Let's Encrypt, with a robust auto-renewal system in place. This setup not only boosts your site's security but also its credibility and search engine ranking.

Security is an ongoing journey, and staying informed and proactive is key to safeguarding your digital assets. Happy securing!

#websecurity #letsencrypt #sslcertificate