certbot on aws | BONUS: making keys *

/ SprUng, KEEPERS, AWS, AWS EC2, CODING, WEBSITES, Websites - more cheats / 3 minutes of reading

Certbox on AWS

So I am guessing you are using an EC2 instance – with a custom domain running apache or nginx?

The easiest way to get a cert is to use certbot. For it to work you need to have your domain pointing to your EC2 instance. You need to have apache or nginx installed. And you need to have port 80 open, and port 443 open -and know your IP address.

  1. SSH into your EC2 instance (this has to be set up in AWS console – do you know if they did it? I can give you steps if you have access – and access is A HUGE thing with AWS)
ssh -i your-key.pem ec2-user@your-ec2-ip 
(it doesn't do passwords - you need a key)

 

  1. Install Certbot – every os is different here's 2 of them

For Amazon Linux 2:

sudo yum install -y certbot python2-certbot-nginx  # or `python2-certbot-apache`

 

For Ubuntu:

sudo apt update
sudo apt install certbot python3-certbot-nginx

 

  1. Run Certbot for your server

For NGINX:

sudo certbot --nginx

 

For Apache:

sudo certbot --apache

 

It’ll auto-detect your configuration, update your virtual host, and install SSL.

If you want to manually specify the domain:

sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

 

  1. Test automatic renewal

Let’s Encrypt certificates expire every 90 days, so test the cron job:

sudo certbot renew --dry-run

 

ISSUES:::

I almost always run into an issue where it can't validate – ususlly becasue I set up the .htaccess or ngixn to automatically redirect to https. Which makes the validation fail. It can't find the acme-challenge file.

So I have to comment out the redirect to https – and then run the certbot again.

Then I have to uncomment the redirect to https.

I have to do this for every site I set up.

So hopefully something isn't already running? and you can just turn it off? If not you have to try to put overridces for acme-challenge in your .htaccess or nginx config. But I have never been able to get that to work.

Create / Add Keys

AWS uses public/private key authentication, which is more secure and scalable.

🔐 Why No Passwords? • AWS generates a key pair (a .pem private key and a public key stored in the instance). • The private key is downloaded once and used to authenticate via SSH. • This avoids the need to set (and protect) passwords.

✅ How AWS SSH Authentication Works

  1. When launching your EC2 instance, AWS asks you to select or create a key pair.
  2. You download the private key (.pem file).
  3. You connect with:
sudo certbot renew --dry-run

 

  1. The instance already has the matching public key in:
~/.ssh/authorized_keys

🔄 Can You Add Password Authentication?

Yes, but it’s not recommended unless you know what you’re doing:

  1. SSH into the instance with your .pem file.
  2. Set a password:
sudo passwd ec2-user
  1. Edit the SSH config:

sudo nano /etc/ssh/sshd_config

Change these lines:

PasswordAuthentication yes
ChallengeResponseAuthentication no
  1. Restart SSH:
sudo systemctl restart sshd

But again — this weakens security. SSH keys are safer.

Want to share access with others? You can: • Add their public key to the ~/.ssh/authorized_keys file. • Or generate your own key pair and share the public half securely.

 

Scroll to Top