In this guide, we will walk you through setting up an SSL/TLS certificate with Nginx for a Cloudflare-managed domain on AWS. We’ll cover everything from installing Certbot to updating Cloudflare settings. Your website will be secure and ready to handle encrypted traffic by the end.

Installing Certbot

Certbot is a free, open-source tool for obtaining and renewing SSL/TLS certificates from the Let’s Encrypt certificate authority. Let’s start by installing Certbot on your server.

Update your package list:

sudo apt-get update

Install Certbot and the Nginx plugin:

sudo apt-get install certbot python3-certbot-nginx

Obtaining an SSL Certificate

With Certbot installed, the next step is to obtain an SSL certificate for your domain.

Run Certbot with the Nginx plugin:

sudo certbot –nginx

Follow the prompts:

Enter your email address for renewal and security notices.
Agree to the terms of service.
Certbot will automatically detect your Nginx configuration and ask which domain you want HTTPS to activate. Select your domain from the list.

Certbot will obtain and install the certificate and configure Nginx for you.

Updating Nginx Configuration

Even though Certbot configures Nginx automatically, it’s a good practice to review the configuration and make sure everything is in order.

Open your Nginx configuration file for your site:

sudo nano /etc/nginx/sites-available/your_domain

Ensure the configuration looks like this:

server {

listen 80;

server_name your_domain www.your_domain;

location / {

return 301 https://$host$request_uri;

}

server {

listen 443 ssl;

server_name your_domain www.your_domain;

ssl_certificate /etc/letsencrypt/live/your_domain/fullchain.pem;

ssl_certificate_key /etc/letsencrypt/live/your_domain/privkey.pem;

include /etc/letsencrypt/options-ssl-nginx.conf;

ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

location / {

proxy_pass http://localhost:your_port;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Forwarded-Proto $scheme;

}

Save and exit the file.

Testing and Reloading Nginx

Test the Nginx configuration for syntax errors:

sudo nginx -t

If the test is successful, reload Nginx:

sudo systemctl reload nginx

Updating Cloudflare Settings

To ensure Cloudflare correctly handles the SSL/TLS traffic, update your settings in the Cloudflare dashboard.

Log in to your Cloudflare account.
Navigate to the SSL/TLS settings for your domain.
Set the SSL/TLS encryption mode to ‘Full (strict)’.
Enable ‘Always Use HTTPS’ to redirect all HTTP requests to HTTPS.
Enable ‘Automatic HTTPS Rewrites’ to fix mixed content issues.

Troubleshooting SSL/TLS Certificate Issues

If you encounter issues with your SSL/TLS certificate, here are some common problems and solutions:

Expired Certificate:

Certbot should automatically renew your certificates. To check and renew manually, run the following:

sudo certbot renew

Nginx Configuration Errors:

Ensure there are no syntax errors in your Nginx configuration by running:

sudo nginx -t

Cloudflare Misconfiguration:
- Ensure Cloudflare is set to ‘Full (strict)’ and that the SSL certificate on your server is valid.
Firewall Issues:
- Make sure that your firewall allows traffic on ports 80 and 443.

Following these steps, you should have a secure SSL/TLS certificate set up for your Cloudflare-managed domain on AWS. Your website will now provide a secure browsing experience for your users.