Running nginx with SSL on AWS

Question

I've installed nginx on AWS using this configure script

--prefix=/usr/local/nginx-1.16.1 --with-http_ssl_module --with-openssl=~/Downloads/openssl-1.1.1i --without-http_rewrite_module

and I've issued a Certificate for my URL (let it be mydom.com) using the AWS Certificate Manager (ACM) and its status is displayed as Issued Then I've edited the relevant section in the nginx.conf

server {
listen 443 ssl;
server_name localhost mydom.com;
ssl_certificate  /etc/ssl/certs/ca-bundle.crt;
ssl_certificate_key  /etc/trusted-key.key;
<truncated>
}

I've selected the files: /etc/ssl/certs/ca-bundle.crt and /etc/trusted-key.key only because they were there on the Linux File System and just for the sake of trying to see if nginx would run with them but it didn't run. It gave:

[emerg] cannot load certificate key "/etc/trusted-key.key": PEM_read_bio_PrivateKey() failes (SSL: error:0909006C:PEM routines:get_name: no start line:Expecting: ANY PRIVATE KEY)

Of course that was just a try. Otherwise I think I should probably use the .crt file issued by the ACM (if there are any) and then I should somehow create a .key file and put them somewhere in the Linux File System, like under the /etc/nginx/ssl? I'm not sure. How should I proceed?

Note: I have some experience running web applications on my own web server but using only the http I haven't much experience with https

Answer 1

ACM certificates can only be used by AWS managed services, primarily load balancers. You can't access the private key so you can't present an ACM cert using Nginx installed on your EC2 instance.

Your best options are:

• Terminate https at an ALB, forward traffic over http to the web server
• Use a Let's Encrypt certificate. There's a wide range of software to choose from that helps automate this.