How to set up SSL/TLS Certificate with Nginx for a Domain managed by Cloudflare and used for AWS EC2 so HTTPS works

What a long title! Long story short. To obtain and set up an SSL/TLS certificate for your website, you can use Let’s Encrypt, a widely-used, free, and open certificate authority. They provide an easy-to-use tool called Certbot to automate the process.

Here’s a step-by-step guide to obtaining and installing an SSL/TLS certificate for your Nginx server:

Step 1: Install Certbot

Access Your Server: SSH into your EC2 instance where your web server is running.

Install Certbot: The installation method for Certbot varies depending on your operating system. For most Linux distributions, you can use the following commands:

sudo amazon-linux-extras install epel -y
sudo yum install certbot python3-certbot-nginx

Ops, error:

sudo yum install certbot python3-certbot-nginx
sudo: amazon-linux-extras: command not found
Last metadata expiration check: 1 day, 2:58:51 ago on Thu Dec 28 15:23:58 2023.
No match for argument: certbot
No match for argument: python3-certbot-nginx

It appears that your EC2 instance is running an Amazon Linux version that doesn’t support amazon-linux-extras, or the command is not available in your environment.

It cost me almost one day to solve this problem, until I saw this article:

Install certbot with nginx on Amazon Linux 2023

Thank you for saving my day! Here is the magic:

sudo python3 -m venv /opt/certbot/

sudo /opt/certbot/bin/pip install --upgrade pip

sudo /opt/certbot/bin/pip install certbot certbot-nginx

sudo ln -s /opt/certbot/bin/certbot /usr/bin/certbot

Now, Certbot is installed on your server.

Step 2: Obtaining SSL Certificate by Certbot

sudo certbot --nginx

sudo systemctl reload nginx

sudo certbot certificates

sudo ls -l /etc/letsencrypt/live/winjob.ai/

Step 3: Update Nginx Configuration:

sudo nano /etc/nginx/conf.d/winjob.conf

server {
    listen 80;
    listen [::]:80;
    server_name winjob.ai www.winjob.ai;

    return 301 https://$host$request_uri;
}

server {
    listen [::]:443 ssl ipv6only=on;
    listen 443 ssl;

    server_name winjob.ai www.winjob.ai;

    ssl_certificate /etc/letsencrypt/live/winjob.ai/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/winjob.ai/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    location / {
        proxy_pass http://localhost:8000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Test and Reload Nginx:

sudo nginx -t
sudo systemctl reload nginx

Debug 1: Domain doesn’t work

If everything works well, but you still can’t visit the website by domain. Don’t worry; maybe it's because of the settings of the Cloudflare.

If you’re using Cloudflare, ensure that the SSL/TLS encryption mode is set appropriately. If you have an SSL certificate on your server (which you do), the mode should be “Full” or “Full (Strict)”.

Additionally, if you’re using Cloudflare’s proxy (orange cloud), it might cause issues with SSL certificate validation and redirects. Try toggling the proxy off (grey cloud) to see if that resolves the issue.

After I changed the mode to “Full (Strict)”, the problem was solved. So, I kept the Proxy Status unchanged.

Debug 2: IP Address doesn’t work

Modify the default server block in your nginx.conf to proxy requests to your Flask application. This will involve changing the location / directive inside the default server block to match the configuration you have for winjob.ai in winjob.conf.

sudo nano /etc/nginx/nginx.conf

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;

    location / {
        proxy_pass http://localhost:8000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

sudo systemctl restart nginx
sudo nginx -t    # Test for syntax errors
sudo systemctl reload nginx   # Reload Nginx to apply changes

Sometimes, browsers cache web pages aggressively. Try accessing your IP address using a different browser or after clearing your browser’s cache to ensure you’re not seeing a cached page.

One more thing: there are two configuration files about Nginx. The Nginx configuration system is designed to be modular and flexible, which is why it uses multiple configuration files.

Understanding the difference between /etc/nginx/nginx.conf and individual files in the /etc/nginx/conf.d/ directory, such as /etc/nginx/conf.d/winjob.conf, is crucial for effectively managing Nginx configurations.

• nginx.conf is the central configuration file for Nginx, setting global parameters and including settings from other files.
• /etc/nginx/conf.d/*.conf files are used for defining server-specific settings, making the configuration easier to manage, especially when hosting multiple sites on a single Nginx instance.

In practice, nginx.conf is for broad Nginx configurations and defaults, while files in conf.d are for specific server (website) configurations.

This article is helped by ChatGPT 4.0