Introduction

Previously we observed the process of installation of the free SSL certificate on Ubuntu 18.04 and Ubuntu 16.04. In this post, you will learn how to install or renew the SSL certificate by Comodo on AWS EC2 instance or any Linux server.

Purchase and Install SSL certificate

Step 1 – Purchase SSL certificate

Choose SSL type

In order to purchase Comodo Positive SSL certificate, please execute the following steps:
– Go to the SSL Shopping Cart
– proceed with the best option that suits you.
We provide our customers with several options at cheap prices. There are three options available at the moment:
– Positive SSL certificate with a one-year subscription
– Positive SSL certificate with two years subscription
– Positive SSL wildcard certificate
It is up to you which option to select. If you need a regular and common choice as your AWS SSL certificate EC2 – choose Positive SSL. If you need SSL for multiple subdomains you will have to use wildcard SSL.

SSL configuration

As soon as you made and paid for your order you can log in to the Client Area. Now you can start the process of SSL certificate configuration. Go to Active Services page and select just purchased SSL certificate. You will see Configure now status at the bottom of the page.
SSL Configuration StatusFrom now you are ready to start the process of SSL configuration. Select “New Order” as order type and Web Server Type you are going to use. Then press the Generate CRS button.
SSL server information options
Please fill corespondent fields in the CRS generator and pay attention to Common Name this is your domain name where SSL certificate will be installed.
CRS online generator
As soon as you completed CSR generation you can move to the administrative contact of the SSL certificate and click the Continue button.
When you’re requested to select the Certificate Approval option I recommend you to use the HTTP option.
SSL approval option
This option allows you to put a file to your server to approve your domain. This option is like the Google Webmaster domain verification method, and everyone who is familiar with this option will do it without any issues. Then click the Continue button and back to Service Details.
As a result, on the Service Details page, you will see information about the file you should upload to the server.
SSL validation information
Now you need to create a directory in your web server root `.well-known/pki-validation`, you can do that via FTP server or with bash command:

mkdir -p .well-known/pki-validation

Put your validation file from the Hash File field with content from the Content field to the server via FTP or with bash command:

nano .well-known/pki-validation/{YOUR_VALIDATION_FILE}.txt

and press the Revalidate button. As soon as you get a Success message you will receive a zip archive to your Administrative contact email. Now you are ready to install your new SSL certificate to your EC2 instance or Linux server.
[havequestion]

Step 2 – EC2 SSL certificate installation

To install an SSL certificate on your EC2 instance you need to SSH to your instance and configure the webserver to serve secured connections.
For your comfort create a directory for each domain that will have SSL certificate:

mkdir -p /etc/nginx/ssl/live/YOUR_DOMAIN

NB! Do not forget to change YOUR_DOMAIN to your real domain name.
Put your private key to /etc/nginx/ssl/live/YOUR_DOMAIN/privkey.pem , and your SSL chain to /etc/nginx/ssl/live/YOUR_DOMAIN/fullchain.pem
To make a full chain go to Client Area , select your SSL certificate, copy paste Certificate (CRT) and Intermediate/Chain files to fullchain.pem
Finally it is time to configure NginX vhost file to server SSL connections on your EC2 instance. Here is my example:

server {
       listen 80;
        server_name ssl-new.itsyndicate.org www.ssl-new.itsyndicate.org;
        return 301 https://ssl-new.itsyndicate.org$request_uri;
}
server {
        server_name www.ssl-new.itsyndicate.org;
        listen 443 ssl;
	expires 1y;
        ssl on;
        ssl_stapling on;
        ssl_certificate     /etc/nginx/ssl/live/ssl-new.itsyndicate.org/fullchain.pem;
        ssl_certificate_key /etc/nginx/ssl/live/ssl-new.itsyndicate.org/privkey.pem;
        ssl_session_timeout 24h;
        ssl_session_cache shared:SSL:50m;
        ssl_dhparam /etc/ssl/dhparam.pem;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
	return 301 https://ssl-new.itsyndicate.org$request_uri;
}
server {
        server_name ssl-new.itsyndicate.org;
        listen 443 ssl;
	expires 1y;
        ssl on;
        ssl_stapling on;
        ssl_certificate     /etc/nginx/ssl/live/ssl-new.itsyndicate.org/fullchain.pem;
        ssl_certificate_key /etc/nginx/ssl/live/ssl-new.itsyndicate.org/privkey.pem;
        ssl_session_timeout 24h;
        ssl_session_cache shared:SSL:50m;
        ssl_dhparam /etc/ssl/dhparam.pem;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
        root /var/www/ssl-new.itsyndicate.org/public_html;
        access_log /var/log/nginx/ssl-new.itsyndicate.org-access.log;
        error_log  /var/log/nginx/ssl-new.itsyndicate.org-error.log;
	try_files $uri/index.html $uri.html $uri/ $uri =404;
	index index.html;
	error_page 404 /404.html;
}

After configuration is done test and reload NginX web server so the changes take effect:

nginx -t
service nginx reload

Hence it is time to check that you EC2 SSL instance works correctly. Open your browser and enter your domain to the search bar. If everything is OK you should see valid SSL certificate.Valid SSL certificate
[pbutton]

Renew SSL certificate

Process of renew SSL certificate is almost the same as ordering new SSL certificate, but you should select “Renewal” as order type. You may start renewal within 90-days before expiration, after renewal process is done your certificate will be added to the old one and remained days will be also added. Also you should use your old CRS in order not to change the private key. In case you lost it, you can always generate a new one, but in this case do not forget to change Private key.
SSL Renewal option
Above all you should keep in mind that renew SSL certificate is not the same process as domain name renewal.  Because you should upload new version of the SSL certificate to the server. Therefore repeat step 2 to install new version of SSL certificate to your Linux server.

Conclusion

Now you know how to install a new certificate on AWS EC2 instance or any Linux server. Please pay attention not to forget to renew SSL certificate when the time comes. With our proactive server management services, you should not worry about renewing SSL certificates, as our monitoring system checks SSL certificates and reports any issues to our technical team. As soon as we get an alert we start an upgrade process and notify our clients. This is a good option not to care about the SSL certificate and it’s expiration and just know that it works!
[WPSM_AC id=21725]

Don’t know which certificate is right for you…

The Author