In this guide, we will walk you through setting up an SSL/TLS certificate with Nginx for a Cloudflare-managed domain on AWS. We’ll cover everything from installing Certbot to updating Cloudflare settings. Your website will be secure and ready to handle encrypted traffic by the end.
Installing Certbot
Certbot is a free, open-source tool for obtaining and renewing SSL/TLS certificates from the Let’s Encrypt certificate authority. Let’s start by installing Certbot on your server.
- Update your package list:
sudo apt-get update
- Install Certbot and the Nginx plugin:
sudo apt-get install certbot python3-certbot-nginx
Obtaining an SSL Certificate
With Certbot installed, the next step is to obtain an SSL certificate for your domain.
- Run Certbot with the Nginx plugin:
sudo certbot –nginx
- Follow the prompts:
- Enter your email address for renewal and security notices.
- Agree to the terms of service.
- Certbot will automatically detect your Nginx configuration and ask which domain you want HTTPS to activate. Select your domain from the list.
- Certbot will obtain and install the certificate and configure Nginx for you.
Updating Nginx Configuration
Even though Certbot configures Nginx automatically, it’s a good practice to review the configuration and make sure everything is in order.
- Open your Nginx configuration file for your site:
sudo nano /etc/nginx/sites-available/your_domain
- Ensure the configuration looks like this:
server {
listen 80;
server_name your_domain www.your_domain;
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
server_name your_domain www.your_domain;
ssl_certificate /etc/letsencrypt/live/your_domain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/your_domain/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location / {
proxy_pass http://localhost:your_port;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
- Save and exit the file.
Testing and Reloading Nginx
- Test the Nginx configuration for syntax errors:
sudo nginx -t
- If the test is successful, reload Nginx:
sudo systemctl reload nginx
Updating Cloudflare Settings
To ensure Cloudflare correctly handles the SSL/TLS traffic, update your settings in the Cloudflare dashboard.
- Log in to your Cloudflare account.
- Navigate to the SSL/TLS settings for your domain.
- Set the SSL/TLS encryption mode to ‘Full (strict)’.
- Enable ‘Always Use HTTPS’ to redirect all HTTP requests to HTTPS.
- Enable ‘Automatic HTTPS Rewrites’ to fix mixed content issues.
Troubleshooting SSL/TLS Certificate Issues
If you encounter issues with your SSL/TLS certificate, here are some common problems and solutions:
- Expired Certificate:
Certbot should automatically renew your certificates. To check and renew manually, run the following:
sudo certbot renew
- Nginx Configuration Errors:
Ensure there are no syntax errors in your Nginx configuration by running:
sudo nginx -t
- Cloudflare Misconfiguration:
- Ensure Cloudflare is set to ‘Full (strict)’ and that the SSL certificate on your server is valid.
- Firewall Issues:
- Make sure that your firewall allows traffic on ports 80 and 443.
Following these steps, you should have a secure SSL/TLS certificate set up for your Cloudflare-managed domain on AWS. Your website will now provide a secure browsing experience for your users.
References
Secure your Lightsail Nginx website with Let’s Encrypt SSL/TLS
Secure your Lightsail WordPress instance with free Let’s Encrypt SSL certificates