How to Enable HTTPS on AWS EC2 Using Certbot
Ensuring secure communication between users and your web server is essential for any online application. HTTPS encrypts data exchanged between the browser and server, protecting user information from interception and tampering. When hosting a website on AWS EC2, one of the most popular and cost-effective ways to enable HTTPS is by using Certbot with Let’s Encrypt, a free and automated certificate authority.
This guide explains everything you need to know about setting up HTTPS on an AWS EC2 instance using Certbot. It is beginner-friendly, covers all necessary steps, and includes best practices to help you maintain a secure and stable HTTPS configuration.
Why HTTPS Matters for Your EC2 Website
Before diving into the setup, it is important to understand why HTTPS is critical:
-
Security and Encryption
HTTPS encrypts data in transit, preventing attackers from reading sensitive information. -
Trust and Credibility
Browsers display a padlock symbol for HTTPS sites, increasing user trust. -
Better SEO Ranking
Google prioritizes HTTPS-enabled sites in search rankings. -
Prevents Browser Warnings
Browsers label non-HTTPS sites as “Not Secure,” which can scare users away. -
Required for Modern Web Features
Many APIs, PWAs, and browser capabilities require HTTPS to function.
Given these advantages, enabling HTTPS is an essential step for every EC2-hosted application.
Prerequisites
To follow this guide, you will need:
-
An AWS EC2 instance (Ubuntu, Amazon Linux, or similar)
-
A domain name linked to your EC2 public IP
-
A web server installed (Apache or Nginx)
-
A user with
sudoprivileges on the EC2 instance -
Port 80 and 443 open in EC2 Security Groups
Tip: If your domain is not yet linked to your EC2 instance, update your DNS records with the EC2 public IP before continuing.
Step 1: Connect to Your EC2 Instance
Use SSH to log in to your EC2 instance from your terminal:
Replace the key file, username, and IP as per your configuration.
Step 2: Update Your Server Packages
Keeping your server updated ensures compatibility and security.
Step 3: Install Certbot
Certbot automates the process of issuing and renewing SSL certificates.
For Ubuntu with Nginx:
For Ubuntu with Apache:
If using Amazon Linux, package names may differ slightly.
Step 4: Adjust Firewall Rules (If Needed)
If you are using UFW (Ubuntu Firewall), allow HTTPS:
or
Ensure port 80 and 443 are permitted.
Step 5: Obtain the SSL Certificate
Certbot communicates with Let’s Encrypt to generate and verify your domain certificate. The command differs slightly depending on your web server.
For Nginx:
For Apache:
Certbot will prompt for the following:
-
Your email address for renewal notifications
-
Agreement to the Let’s Encrypt terms
-
Whether to redirect HTTP to HTTPS (recommended)
Choose the redirect option so that all HTTP traffic automatically switches to HTTPS.
If successful, you should see a message confirming the certificate installation and expiration date.
Step 6: Verify HTTPS Configuration
Open your browser and visit:
Check for a padlock symbol in the address bar. You can also use online SSL testing tools to validate your configuration and security rating.
Step 7: Test Auto-Renewal
Let’s Encrypt certificates are valid for 90 days, but Certbot automatically renews them. Test the renewal process:
If no errors appear, your certificate will auto-renew without manual intervention.
Troubleshooting Common Issues
While Certbot is straightforward, beginners may encounter a few common problems:
-
Domain Not Resolving to EC2
Ensure your DNS A record points to your EC2 public IP. Propagation may take a few minutes. -
Port 80 Blocked
Let’s Encrypt needs access on port 80 for verification. Check your EC2 Security Group and firewall settings. -
Server Block or Virtual Host Misconfiguration
If your Nginx or Apache configuration has multiple server blocks, Certbot may not detect the correct one. Adjust your configuration accordingly. -
Rate Limiting
Let’s Encrypt limits the number of certificate requests per week. Avoid repeated retries.
Best Practices for Maintaining EC2 HTTPS Security
Securing your EC2 instance once is not enough. Follow these best practices to maintain long-term security:
Enable Automatic Renewal Monitoring
Set up a cron job or systemd timer to send alerts if renewal fails. Certbot adds automated renewal by default, but monitoring helps prevent expired certificates.
Use a Web Application Firewall
Consider using AWS WAF or third-party firewalls to protect against malicious traffic.
Keep Your Web Server Updated
Regular updates ensure that your HTTPS configuration remains modern and secure.
Consider Using AWS Load Balancer for HTTPS at Scale
If you are hosting multiple applications, you can offload HTTPS to an Application Load Balancer (ALB) with AWS Certificate Manager (ACM), which simplifies certificate management across instances.
Should You Use Certbot or AWS Certificate Manager (ACM)?
Both are popular approaches, but suitable for different use cases.
| Certificate Option | Best For |
|---|---|
| Certbot + Let’s Encrypt | Single EC2 instance or small deployments |
| AWS ACM | Load balancers, CloudFront, multi-region or enterprise scale |
For small to medium websites hosted on one EC2 instance, Certbot remains an excellent free option.
Conclusion
Enabling HTTPS on your AWS EC2 instance using Certbot is one of the most effective ways to protect your website and improve user trust. The process is simple, free, and supported by automatic certificate renewal. By following the steps in this guide, you can secure your EC2-hosted application in under an hour.
Whether you are running a personal blog, e-commerce site, or business application, HTTPS is a non-negotiable part of modern security. Combined with proper server maintenance and AWS security practices, you can create a reliable and safe environment for your users.
