Securing your website with SSL (Secure Sockets Layer) is critical for protecting user data, boosting SEO rankings, and improving user trust. This guide will walk you through the complete setup process of installing an SSL certificate on an Amazon Linux 2023 instance running Apache.
SSL Amazon Linux 2023 Apache: Full Install
- Amazon Linux 2023 EC2 instance
- Domain name pointed to your EC2 instance
- AWS CLI installed on your local machine
- SSH access to your EC2 instance
Step 1: Connect to Your EC2 Instance
Log into your EC2 instance via SSH:
ssh -i "your-key.pem" ec2-user@your-ec2-instance-public-ip
Step 2: Update Your Server and Install Apache
sudo dnf update -y
sudo dnf install httpd -y
sudo systemctl start httpd
sudo systemctl enable httpd
Verify Apache is running by accessing your EC2 instance IP in your browser:
http://your-ec2-instance-public-ip
Step 3: Install Certbot for SSL
Certbot simplifies SSL certificate installation and renewal:
sudo dnf install epel-release -y
sudo dnf install certbot python3-certbot-apache -y
Step 4: Obtain and Install SSL Certificate
Replace example.com with your actual domain:
sudo certbot --apache -d example.com -d www.example.com
Follow the interactive prompts to complete the installation.
Step 5: Verify Your SSL Certificate Installation
Visit your website using HTTPS:
https://example.com
A padlock icon should appear, indicating the SSL certificate is successfully installed.
Step 6: Automate SSL Certificate Renewal
Certbot can renew certificates automatically:
Test auto-renewal:
sudo certbot renew --dry-run
If successful, Certbot will automatically renew your certificates before they expire.
Step 7: Configure Firewall (Optional but Recommended)
If you are using firewalld, allow HTTP and HTTPS traffic:
sudo firewall-cmd --add-service=http --permanent
sudo firewall-cmd --add-service=https --permanent
sudo firewall-cmd --reload
Conclusion
Congratulations! You've successfully installed an SSL certificate on your Amazon Linux 2023 server running Apache. Your website is now secure, trusted by browsers, and better positioned for search engine optimization.
Automating Renewal So You Never Think About It Again
Let's Encrypt certificates expire every ninety days, and manual renewal is a trap. Certbot on Amazon Linux 2023 installs a systemd timer automatically — verify it with systemctl list-timers | grep certbot. If it's missing, add a cron entry running certbot renew --quiet twice daily; renewal only fires inside the thirty-day window, so frequent checks are free. Then do the one step most guides skip: test the whole path with certbot renew --dry-run. A dry run that passes today is the difference between a non-event in ninety days and a Saturday spent explaining a browser warning.
Forcing HTTPS the Right Way
A certificate that's installed but optional protects nobody. Add a VirtualHost-level redirect from port 80 to your HTTPS site — a Redirect permanent / line in the port 80 block is enough — and confirm with curl -I http://yourdomain.com that you get a 301 to the HTTPS URL. Then set the Strict-Transport-Security header so returning browsers never even attempt plain HTTP. Skip HSTS preload until you're sure every subdomain serves TLS, because preload is nearly irreversible.
When the Padlock Still Won't Appear
Three errors cover most failed installs. A NET::ERR_CERT_COMMON_NAME_INVALID means the certificate doesn't cover the exact hostname — issue it with both the bare domain and www as SANs. Mixed-content warnings mean the page loads HTTP assets from your own markup; fix the URLs or add a Content-Security-Policy: upgrade-insecure-requests header. And if Apache refuses to start after config changes, apachectl configtest names the exact line — usually a typo'd certificate path or a Listen 443 duplicated by both your config and the ssl module's defaults.
Verifying Like a Professional
Finish with an external check, not just a browser visit. SSL Labs' server test grades your whole TLS configuration and flags weak protocols you'd never notice locally. On the server, openssl s_client -connect yourdomain.com:443 -servername yourdomain.com shows the exact chain being served — an incomplete chain works in Chrome but fails in older clients and some APIs, and this is the only place you'll see it.
Hardening Beyond the Certificate
TLS is the front door; spend ten more minutes on the frame around it. Disable the protocols nobody should speak anymore — anything below TLS 1.2 — in your Apache SSL configuration, and prefer the modern cipher list from Mozilla's SSL configuration generator rather than hand-rolling one. Turn off ServerSignature and set ServerTokens Prod so error pages stop advertising your exact Apache version to scanners. None of this is exotic: it's the difference between a B and an A on the same SSL Labs test you just ran, and every setting is a one-line change with no application impact.
A Note on Load Balancers and CDNs
If this instance later sits behind an Application Load Balancer or Cloudflare, the TLS story changes shape: the edge terminates the public certificate, and your Apache setup becomes the origin side. Keep the origin on HTTPS anyway — free origin certificates exist precisely for this — because plaintext between edge and origin quietly undoes the padlock your visitors think they have. The setup you just completed is exactly what makes "full strict" encryption modes possible later, so nothing here is wasted work.
The Calendar Entry That Saves You Anyway
Even with automation verified, set a reminder one week before the first real expiry date. The first renewal is the only one with unknowns in it — firewall rules blocking the challenge, a changed webroot, an Apache reload that needs sudo rules. Watch that one happen successfully, and then delete the reminder forever with a clear conscience. Trust automation after one witnessed success, not before — the habit costs one calendar entry and removes the only realistic failure window.
One last habit: keep a copy of your virtual host configuration in version control alongside your project. When the instance is eventually replaced — and it will be — restoring HTTPS becomes a paste instead of an archaeology dig through a terminated server's snapshots.
Keeping the Padlock Green
The SSL Amazon Linux 2023 Apache setup is done when renewal is automatic and tested — certificates you have to remember are certificates that expire. My full server hardening and (this guide) go deeper.
If you want your servers secured end to end, that's something I do through Ramlit.