• Home
  • Linux
  • Ubuntu
  • Debian
  • CentOS
  • Linux Commands
  • About Us
  • Donate
TecNStuff
Menu
  • Home
  • Linux
  • Ubuntu
  • Debian
  • CentOS
  • Linux Commands
  • About Us
  • Donate

Secure Nginx with Let’s Encrypt on CentOS 7

Written by Admin, Updated On May 7, 2019
centos, certbot, let's encrypt, nginx, ssl
Secure Nginx with Let's Encrypt on CentOS 7

Let’s Encrypt is a new Certificate Authority (CA). They provides a simple way to obtain, validate, install and renew free TLS/SSL certificates. In this tutorial, you will learn how to obtain and install free SSL certificate and Secure Nginx with Let’s Encrypt on CentOS 7 server.

Prerequisites#

  • A CentOS system logged in with a non-root user with sudo privileges.
  • Nginx must installed and configured, as shown in this tutorial.
  • Have a Nginx server block for your domain, as shown in this tutorial.
  • Your domain name should pointing to your server IP address.

Install Let’s Encrypt on CentOS#

Now a days, Certificates issued by Let’s Encrypt are trusted by almost all browsers.

Install Certbot Client#

Certbot client package is easy and useful tool for obtain and renew Let’s Encrypt SSL certificates and configure to web servers. We will install certbot package from EPEL reposiory so we will first enable EPEL reposiory. Execute below command to add EPEL reposiory:

sudo yum install epel-release

Now, We will install Certbot client package to CentOS server to obtain a Let’s Encrypt SSL certificate.

sudo yum install certbot-nginx

You can verify that certbot is installed successfully or not by typing:

certbot --version

Adjust Firewall#

If your system is secured by firewall then your firewall should allow HHTPS traffic to configure SSL certificate. So you need to adjust firewall rule to allow HTTPS traffic. If you are not running a firewall, you can skip ahead.

sudo firewall-cmd --add-service=http
sudo firewall-cmd --add-service=https
sudo firewall-cmd --runtime-to-permanent

If your system is running iptables then you can run following basic commands to enable traffic on port 80 and port 443.

sudo iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
sudo iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT

Obtaining a Let’s Encrypt SSL on Nginx#

There are multiple ways to obtain Let’s Encrypt SSL certificates. In this guide, we will use certbot client to obtain a SSL certificate:

sudo certbot --nginx -d example.com -d www.example.com

Using above command, we are requesting for domain example.com and www.example.com. If you are installing certificate first time then it will ask you enter email address and agree terms and conditions. Entered email address will be used for sending email alerts related to SSL renewal and expiration.

After the above step, Certbot will ask you to configure HTTPS settings.

Output
Please choose whether HTTPS access is required or optional.
1: Easy - Allow both HTTP and HTTPS access to these sites
2: Secure - Make all requests redirect to secure HTTPS access
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

Select your choice and hit Enter to go ahead. It’s recommend you to choose Secure option if you don’t want to change the configuration file manually.

At last, If the SSL certificate is successfully obtained, certbot will print the following message:

IMPORTANT NOTES:
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2019-06-11. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew all of your certificates, run
"certbot renew"
If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

Generate Strong Diffie-Hellman Parameters#

Diffie–Hellman key exchange (DH) method is used to securely exchanging cryptographic keys over an unsecured communication channel. To Generate a new strong set DH parameters by typing the following command:

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Now, we need to edit Nginx configuration file by typing:

sudo nano /etc/nginx/nginx.conf

Append the following code line inside server blocks:

ssl_dhparam /etc/ssl/certs/dhparam.pem;

Next, we will check Nginx syntax to check everything is going correct:

sudo nginx -t

If there is no problem in syntax reload Nginx configuration file

sudo systemctl reload nginx

Auto Renew Let’s Encrypt SSL Certificates#

Let’s Encrypt SSL certificates have short-life period of 90 days so you need to renew it before it expire. You can renew SSL certificate by type:

sudo certbot renew

To automatically renew the certificates before they expire, we will create a cronjob which will run twice a day and will automatically renew any certificate 30 days before its expiration.

Enter the following command to open crontab:

sudo crontab -e

Now append the below line at end of file. It will run the command twice a day and renews if the certificate is about to expire.

0 */12 * * * /usr/bin/certbot renew >> /var/log/le-renew.log

Save and close the file. You can check renewal process by type :

sudo certbot renew --dry-run

If there are no errors, it means that the test renewal process was successful.

Conclusion#

In this tutorial, you learned how to install certbot client, obtain Let’s Encrypt SSL certificate and configured to Nginx to use the certificates. At last, you have set up a cronjob for automatic certificate renewal.

If you want to know more about how to use Certbot, their documentation is a good starting point.

If our content helps you, please consider buying us a coffee

Thank you for your support.

Share On
Share on Facebook
Share on Twitter
Share on Reddit
Share on Tumblr
 Previous Article How to Set Up Nginx Server Blocks on CentOS 7
Next Article   How to Install phpMyAdmin with Apache on Ubuntu 18.04

Related Posts

  • How to Install Nginx on Ubuntu 22.04

    How to Install Nginx on Ubuntu 22.04

    January 28, 2023
  • How to Install Php 8 on CentOS 8

    How to Install PHP 8 on CentOS 8

    January 27, 2021
  • How to Install Python 3.9 on CentOS 8

    How to Install Python 3.9 on CentOS 8

    December 31, 2020

Leave a Reply Cancel reply

DigitalOcean Referral Badge

Popular Posts

  • How to Install SSH Keys on Ubuntu 22.04
    How to Set up SSH Keys on Ubuntu 22.04 January 7, 2023
  • How to Install Mongodb on Debian 11
    How to Install MongoDB on Debian 11 Linux January 11, 2023
  • How to Install Puppet Agent on Ubuntu 22.04
    How to Install Puppet Agent on Ubuntu 22.04 January 22, 2023
  • How to Install Jenkins on Debian 11
    How to Install Jenkins on Debian 11 January 5, 2023
  • How to Change-Hostname Ubuntu 22.04
    How to Change Hostname on Ubuntu 22.04 January 19, 2023
© 2020 TecNStuff All rights reserved. This website is using and storing cookies on your browser. By using this website you agree our Privacy Policy.  Follow us -  Twitter | Facebook