Check out aiproxy.pro

How to install certbot on AL2023

To install the initial the letsencrypt certificate on Amazon Linux 2023:

dnf install python3  
python3 -m venv /opt/certbot  
source /opt/certbot/bin/activate  
pip install --upgrade pip  
pip install certbot certbot-nginx  
certbot certonly --standalone  
:: follow prompts  
:: once certs are on disk, start nginx  
systemctl start nginx.service  

To renew:

/opt/certbot/bin/certbot renew --nginx  

To perform a dry run of renew:

/opt/certbot/bin/certbot renew --nginx --dry-run --no-random-sleep-on-renew  


Reference: https://certbot.eff.org/instructions?ws=nginx&os=pip

Where are letsencrypt certs stored on AL2023

Certbot files are stored at


and are symlinked to


How to use a CSR with certbot

Warning, if I usa a CSR then the --reuse-key flag does not work with certbot.
I use CSRs to create backup keys in the event that something goes wrong with my
standard --reuse-key automated infra. If a bug in letsencrypt causes a cert
refresh to change the public/private key pair, then all my cert pinned clients will
start failing. To mitigate, I create backup keys and store them in a safe location,
and bake the public keys into the cert pinned clients.

Generate an elliptic curve private key:

openssl ecparam -name prime256v1 -genkey -noout -out my-private-key.key  

Generate a CSR:

openssl req -new -key my-private-key.key -out beta-api.aiproxy.pro.csr  

Use the CSR to generate a cert:

sudo /opt/certbot/bin/certbot certonly --nginx --csr beta-api.aiproxy.pro.csr  

Dump the contents of the cert and verify that the public key matches what’s expected:

openssl x509 -noout -text -in 0000_cert.pem  
:: view the 'Subject Public Key Info' section, compare it to the 'pub' section of:  
openssl ec -in my-private-key.key -text -noout  

Move the cert into place (do this for the beta API only)

cd /etc/letsencrypt/live/beta-api.aiproxy.pro  
:: move the existing symlinks out of place  
mv cert.pem cert.pem.bak  
mv chain.pem chain.pem.bak  
mv fullchain.pem fullchain.pem.bak  
mv privkey.pem privkey.pem.bak  

:: move new files into place  
mv /home/ec2-user/0000_cert.pem cert.pem  
mv /home/ec2-user/0000_chain.pem chain.pem  
mv /home/ec2-user/0001_chain.pem fullchain.pem  
mv /home/ec2-user/my-private-key.key privkey.pem  <-- is this right  

:: restart nginx  
systemctl restart nginx  

:: verify that cert pinning works with the public pair of `my-private-key.key`  

How to update a single domain’s cert

sudo /opt/certbot/bin/certbot certonly --reuse-key --nginx -d beta-api.aiproxy.pro  

Verify that the private/public key pair didn’t change with:

cd /etc/letsencrypt/archive/beta-api.aiproxy.pro  
openssl ec -in privkey1.pem -text -noout  
openssl ec -in privkey2.pem -text -noout