Skip to content


SSL certificate installation on EC2 (Amazon Lightsail)

A TLDR installation guide for installing an SSL certificate in nginx on an Ubuntu EC2 instance. Assuming you already have a site up and running under ngi

While updating a Ghost blog, had to install SSL certificate. As Ghost was being served over nginx, there were a few hoops to jump through that I’d not come across before. Thankfully, straight forward to install. We’ll be using a LetsEncrypt certificate.

First, we need to add CertBot.

  • sudo add-apt-repository ppa:certbot/certbot
  • sudo apt-get update
  • sudo apt-get install python-certbot-nginx
  • sudo certbot --nginx -d -d

And that’s all there is to it.

Dev Notes

If you see the following error it means that CertBot was unable to connect:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for
tls-sni-01 challenge for
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout, (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout

This is likely due to DNS configuration issues or that the port is being blocked. Check that port 443 is allowed through the FireWall.

Amazon Lightsail firewall config

Renewing SSL with crontab failed

LetsEncrypt SSL certificates expire every 90 days.

Looks like something not quite working with the auto renewal of SSL certs for my person domains. Caught an email from LetsEncrypt warning me that various domains were about to lose their certificates, despite a cron job running on the server.

To edit the crontab (Ubuntu):

 sudo crontab -e

Which now reads:

0 4 * * 1 /usr/bin/letsencrypt renew >> /var/log/le-renew.log

Updated cron to run on Mondays at 4am (using this handy cron calculator).

For reference…

sudo /usr/bin/letsencrypt renew

…will manually renew any certificates that are about to expire.