How to Enable HTTPS with certobot/letsencrypt on Amazon Linux 2

Learn how to enable HTTPS on EC2 the right way. A clear, practical guide to enable HTTPS with certobot/letsencrypt on Amazon Linux 2 using Apache or Nginx. Our Live Support team is always here to help you.

When you launch a website on an EC2 instance, the first thing users expect is a secure lock icon. Yet many admins delay HTTPS because the setup feels confusing. So today, let’s walk through a simple, reliable way to enable HTTPS with certobot/letsencrypt on Amazon Linux 2, without guessing, without breaking your server, and without going in circles.

This guide is built entirely from real-world troubleshooting work, not copied theory. And because security matters now more than ever, you’ll see every command exactly as it should be typed.

1. Install Certbot on Amazon Linux 2

To start, install Certbot using the recommended pip method. This avoids the outdated packages that often fail on AL2.

Run the following commands:

sudo yum install -y augeas-libs

sudo amazon-linux-extras install -y python3.8

sudo /usr/bin/python3.8 -m venv /opt/certbot/

sudo /opt/certbot/bin/pip install --upgrade pip

sudo /opt/certbot/bin/pip install certbot

sudo /opt/certbot/bin/pip install certbot-dns-route53

sudo /opt/certbot/bin/pip install certbot-apache

sudo /opt/certbot/bin/pip install certbot-nginx

sudo ln -s /opt/certbot/bin/certbot /usr/bin/certbot

Since Let’s Encrypt certificates last just 90 days, you absolutely need auto-renewal. Therefore, configure the renewal timer and service:

sudo tee /usr/lib/systemd/system/certbot-renew.timer > /dev/null << EOF

[Unit]

Description=This is the timer to set the schedule for automated renewals

[Timer]

OnCalendar=*-*-* 00/12:00:00

RandomizedDelaySec=12hours

Persistent=true

[Install]

WantedBy=timers.target

EOF

sudo touch /etc/sysconfig/certbot

sudo tee /usr/lib/systemd/system/certbot-renew.service > /dev/null << EOF

[Unit]

Description=This service automatically renews any certbot certificates found

[Service]

EnvironmentFile=/etc/sysconfig/certbot

Type=oneshot

ExecStart=/usr/bin/certbot renew --noninteractive --no-random-sleep-on-renew $PRE_HOOK $POST_HOOK $RENEW_HOOK $DEPLOY_HOOK $CERTBOT_ARGS

EOF

sudo systemctl daemon-reload

sudo systemctl enable --now certbot-renew.timer

With this done, you’re ready to enable HTTPS with certobot/letsencrypt on Amazon Linux 2 using either Apache or Nginx.

2. Enable HTTPS on Apache

First install Apache:

sudo yum install -y httpd mod_ssl

Create the VirtualHost:

sudo tee /etc/httpd/conf.d/www.conf > /dev/null << EOF

<VirtualHost *:80>

ServerAdmin webmaster@localhost

DocumentRoot /var/www/html

</VirtualHost>

EOF

Start Apache:

sudo systemctl enable httpd

sudo systemctl restart httpd

Before requesting your certificate, verify DNS:

FQDN=al2.example.com

curl checkip.amazonaws.com && dig +short $FQDN

curl -I $FQDN

If the IPs match, run Certbot:

sudo certbot --apache

At this point, you have successfully started the process to enable HTTPS with certobot/letsencrypt on Amazon Linux 2 using Apache.

3. Enable HTTPS on Nginx

If you’re using Nginx instead, install and configure it like this:

sudo amazon-linux-extras install -y nginx1

sudo sed -i "s/server_name _;/server_name $FQDN;/g" /etc/nginx/nginx.conf

sudo nginx -t

sudo systemctl enable nginx

sudo systemctl start nginx

Test DNS:

FQDN=al2.example.com

curl checkip.amazonaws.com && dig +short $FQDN

curl -I $FQDN

Then request the certificate:

sudo certbot --nginx

You now fully enable this using Nginx, clean, secure, and repeatable.

Conclusion

Open your domain in a browser. The lock icon should appear instantly. And because renewal is already configured, you can walk away knowing your HTTPS setup won’t suddenly expire.

This is the exact method our support engineers follow whenever clients ask how to enable it, and it consistently works without surprises.