Setting up HTTPS on CKAN EC2

CKAN uses an Nginx server as a reverse proxy to an Apache server. This means that we will need to configure an HTTPS certificate for our Nginx server instead of our Apache server to get CKAN working on HTTPS.

This tutorial will give you a basic idea of how reverse proxies work (we’re using Apache instead of Node).


  • Enable inbound connections on port 443 (HTTPS) for your EC2 instance Security Group rules.

  • Knowledge of terminal editors - I use vim, but feel free to use nano or whatever editor you like.

  • Below are the versions for the technologies I’m using. You probably don’t need the exact versions:

    • Nginx - nginx/1.12.2

    • Apache Web Server - Server version: Apache/2.4.41 ()

    • CKAN - CKAN 2.8.3 (2020-03-13) delivered by Link Digital (AWS Marketplace)

Set up Certbot on your EC2 instance

Before you can get a certificate to use HTTPS, you need to verify that you are in control of the domain that you are trying to get a certificate for. To do this, we will complete an HTTP Challenge.

Certbot is a tool that works with LetsEncrypt to help you issue and renew TLS certificates for free. We will be using this to configure our https certificates. Our CKAN instance is hosted on an Amazon Linux 2 AMI, which is most closely related to Centos Linux distributions. To get Certbot working on your EC2 instance, do the following:

  1. Stop nginx and apache servers.

    sudo systemctl stop nginx
    sudo systemctl stop httpd
  2. Prepare Certbot

    Follow the instructions in this tutorial (only step #1). This worked better for me than the Certbot instructions.

  3. Install Certbot

    sudo yum install -y certbot python2-certbot-apache
  4. Run Certbot

    the certonly option will allow us to configure our web servers the way we want.

    sudo certbot certonly --nginx
    # Saving debug log to /var/log/letsencrypt/letsencrypt.log
    # Plugins selected: Authenticator nginx, Installer nginx
    # No names were found in your configuration files. Please enter in your domain
    # name(s) (comma and/or space separated)  (Enter 'c' to cancel):
  5. Type in the domain name and press enter. You should get a confirmation that your certificates have been downloaded, with a path to the fullchain.pem and privkey.pem file locations. Put these file paths somewhere you can access them easily for the next steps.

    # Obtaining a new certificate
    # Performing the following challenges:
    # http-01 challenge for
    # nginx: [error] invalid PID number "" in "/run/"
    # Waiting for verification...
    # Cleaning up challenges
    # - Congratulations! Your certificate and chain have been saved at:
    #   /etc/letsencrypt/live/
    #   Your key file has been saved at:
    #   /etc/letsencrypt/live/
    #   Your cert will expire on 2020-11-23. To obtain a new or tweaked
    #   version of this certificate in the future, simply run certbot
    #   again. To non-interactively renew *all* of your certificates, run
    #   "certbot renew"
    # - If you like Certbot, please consider supporting our work by:
    #   Donating to ISRG / Let's Encrypt:
    #   Donating to EFF:          
  6. Configure Automated Certificate Renewal

    Ensure no other crontab exists

    sudo grep certbot /etc/crontab

    If no other one exists, add it

    echo "0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q" | sudo tee -a /etc/crontab > /dev/null


Set up your servers to redirect to HTTPS

Edit your Nginx Config File

Now we need to configure our Nginx and Apache servers to work with HTTPS.

  1. Edit the /etc/nginx/conf.d/ckan.conf file.

    sudo nano /etc/nginx/conf.d/ckan.conf
  2. We will need to remove the existing server block and add the following server block rule to listen for HTTPS traffic.

    server {
        listen 443;
        ssl on;
        ssl_certificate /etc/letsencrypt/live/;
        ssl_certificate_key /etc/letsencrypt/live/;
        client_max_body_size 100M;
        location / {
            #redirect all https requests to the apache server hosting our CKAN instance
            proxy_set_header X-Forwarded-For $remote_addr;
            proxy_set_header Host $host;
            proxy_cache cache;
            proxy_cache_bypass $cookie_auth_tkt;
            proxy_no_cache $cookie_auth_tkt;
            proxy_cache_valid 30m;
            proxy_cache_key $host$scheme$proxy_host$request_uri;
            # In emergency comment out line to force caching
            # proxy_ignore_headers X-Accel-Expires Expires Cache-Control;
  3. Now add another rule for Port 80 (HTTP) traffic that redirects all traffic through the HTTPS rule we just made.

    server {
       listen 80;
       rewrite ^ https://$server_name$request_uri? permanent;
  4. Save and exit this file.

  5. Restart your Nginx server.

    sudo systemctl restart nginx
  6. If you get the error

    Job for nginx.service failed because the control process exited with error code. See "systemctl status nginx.service" and "journalctl -xe" for details.

    kill the nginx process and retry.

    sudo pkill -f nginx & wait $!
    [1] 9588
    [1]+  Done                    sudo pkill -f nginx
    sudo systemctl restart nginx

Edit Your Apache Config Files

If mod_ssl is installed on Apache, you will have an /etc/httpd/conf.d/ssl.conf file that is listening for HTTPS connections. We want Nginx to handle HTTPS, so we will remove this functionality.

  1. Open an editor for /etc/httpd/conf.d/ssl.conf.

    sudo nano /etc/httpd/conf.d/ssl.conf
  2. Remove the HTTPS listener

    # remove this line
    Listen 443
  3. Ensure the correct server name is present

    # Search for lines like the following
    SSLCertificateFile /etc/letsencrypt/live/
    SSLCertificateKeyFile /etc/letsencrypt/live/
  4. Save and exit this file.

  5. Comment out the mod_http2 section of your /etc/httpd/conf/httpd.conf file.

    # <IfModule mod_http2.c>
    #    Protocols h2 h2c http/1.1
    # </IfModule>
  6. Restart your Apache server.

    sudo systemctl restart httpd
  7. If you are having trouble restarting your server, check the config file by running apachectl configtest from the command line. Don’t worry if you get an SSLCertificateFile does not exist error. Apache isn’t handling HTTPS, so we don’t need to worry about this.

Edit your CKAN Installation

After the following two steps, your site should run via https! However, static content may still be loaded via http. We can fix this by changing some settings in the CKAN installation.

  1. Change the ckan.site_url variable in the /etc/ckan/default/production.ini file to your https domain name.

    ## Site Settings
    ckan.site_url =
  2. Restart your apache server

    sudo systemctl restart httpd


Your site should be up and running now over HTTPS! If you don’t see it working immediately, you may have caching issues. Try opening your site in a different browser.

You can also check your site at This will give you helpful information for troubleshooting.