Deploy Nginx with SSL
From subscribing on AWS Marketplace to a running, secured instance — plus day-2 operations.
Operating system
Ubuntu 22.04 LTS
SSH user
ubuntu
This guide covers launching and using Nginx with SSL from AWS Marketplace.
Prerequisites
- An AWS account with permission to subscribe to Marketplace products and launch EC2 instances.
- An EC2 key pair for administrative access.
Step 1 — Subscribe & launch
- On the AWS Marketplace listing, choose Continue to Subscribe → Continue to Configuration → Continue to Launch.
- Select an instance type and your key pair.
- Configure the security group (see the ports below) and launch.
Step 2 — Security group / ports
Open port 22 (SSH) restricted to your IP, plus any application ports.
Step 3 — Connect
ssh -i "your-key.pem" ubuntu@<PUBLIC_IP>
If you get a key-permission error: chmod 400 your-key.pem.
Step 4 — Access the application
To verify the installation, follow the below instructions
- Open browser
- In the address bar of the browser, type
http://<your-ip-address> - You will see the Nginx default page (see screenshot below)
Step 1. Connect to SSH
In a terminal window, use the ssh command to connect to the instance. You specify the user name for your instance, and the public DNS name or IPv6 address for your instance, the path and file name of the private key (.pem).
ssh ubuntu@publicIP -i [Path of key pair file]
If it shows access denied message run the following command, then run the above command again to connect via ssh.
chmod 400 [Path of key pair file]
Step 2. Activate SSL Encryption
Follow the steps to activate SSL Encryption on the system
- Open the configuration file for your domain using nano or your favorite text editor. example.com is domain just for the reference. You need to input your Domain name instead of example.com
sudo nano /etc/nginx/sites-available/example.com
- Find the existing server_name line. It should look like this:
server_name example.com www.example.com;
- Now run below commands
sudo nginx -t
sudo systemctl reload nginx
- Now run the below command with your domain name.
sudo certbot --nginx -d example.com -d www.example.com
-
At the prompt “Enter email address” (used for urgent renewal and security notices), and press Enter.
-
Agree to the Let’s Encrypt Terms of Service at the prompt. Enter “A”
Please read the Terms of Service at the Let’s Encrypt site. You must agree in order to register with the ACME server.
(A)gree/(C)ancel: A
- If that’s successful, certbot will ask how you’d like to configure your HTTPS settings.
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you’re confident your site works on HTTPS. You can undo this change by editing your web server’s configuration.
Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel):
- Select your choice then hit ENTER. The configuration will be updated, and Nginx will reload to pick up the new settings. certbot will wrap up with a message telling you the process was successful and where your certificates are stored.
Important notes: Congratulations! Your certificate and chain have been saved. Your cert will expire after 90 days. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the “certonly” option. To non-interactively renew all of your certificates, run “certbot renew”.
Your certificates are downloaded, installed, and loaded. Try reloading your website using https:// and notice your browser’s security indicator. It should indicate that the site is properly secured, usually with a lock icon.
Screenshots

Day-2 operations
Apply OS and package security updates on your normal cadence, snapshot the EBS volume for recovery, and forward logs/metrics to CloudWatch.
Support
Email support@ioanyt.com for help.