Secure Nginx with Let’s Encrypt on CentOS 7

Let’s Encrypt is a new Certificate Authority (CA). They provides a simple way to obtain, validate, install and renew free TLS/SSL certificates. In this tutorial, you will learn how to obtain and install free SSL certificate and Secure Nginx with Let’s Encrypt on CentOS 7 server.

Prerequisites#

• A CentOS system logged in with a non-root user with sudo privileges.
• Nginx must installed and configured, as shown in this tutorial.
• Have a Nginx server block for your domain, as shown in this tutorial.
• Your domain name should pointing to your server IP address.

Install Let’s Encrypt on CentOS#

Now a days, Certificates issued by Let’s Encrypt are trusted by almost all browsers.

Install Certbot Client#

Certbot client package is easy and useful tool for obtain and renew Let’s Encrypt SSL certificates and configure to web servers. We will install certbot package from EPEL reposiory so we will first enable EPEL reposiory. Execute below command to add EPEL reposiory:

sudo yum install epel-release

Now, We will install Certbot client package to CentOS server to obtain a Let’s Encrypt SSL certificate.

sudo yum install certbot-nginx

You can verify that certbot is installed successfully or not by typing:

certbot --version

Adjust Firewall#

If your system is secured by firewall then your firewall should allow HHTPS traffic to configure SSL certificate. So you need to adjust firewall rule to allow HTTPS traffic. If you are not running a firewall, you can skip ahead.

sudo firewall-cmd --add-service=http
sudo firewall-cmd --add-service=https
sudo firewall-cmd --runtime-to-permanent

If your system is running iptables then you can run following basic commands to enable traffic on port 80 and port 443.

sudo iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
sudo iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT

Obtaining a Let’s Encrypt SSL on Nginx#

There are multiple ways to obtain Let’s Encrypt SSL certificates. In this guide, we will use certbot client to obtain a SSL certificate:

sudo certbot --nginx -d example.com -d www.example.com

Using above command, we are requesting for domain example.com and www.example.com. If you are installing certificate first time then it will ask you enter email address and agree terms and conditions. Entered email address will be used for sending email alerts related to SSL renewal and expiration.

After the above step, Certbot will ask you to configure HTTPS settings.

Output
Please choose whether HTTPS access is required or optional.
1: Easy - Allow both HTTP and HTTPS access to these sites
2: Secure - Make all requests redirect to secure HTTPS access
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

Select your choice and hit Enter to go ahead. It’s recommend you to choose Secure option if you don’t want to change the configuration file manually.

At last, If the SSL certificate is successfully obtained, certbot will print the following message:

IMPORTANT NOTES:
 Congratulations! Your certificate and chain have been saved at:
 /etc/letsencrypt/live/example.com/fullchain.pem
 Your key file has been saved at:
 /etc/letsencrypt/live/example.com/privkey.pem
 Your cert will expire on 2019-06-11. To obtain a new or tweaked
 version of this certificate in the future, simply run certbot
 again. To non-interactively renew all of your certificates, run
 "certbot renew"
 If you like Certbot, please consider supporting our work by:
 Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 Donating to EFF:                    https://eff.org/donate-le

Generate Strong Diffie-Hellman Parameters#

Diffie–Hellman key exchange (DH) method is used to securely exchanging cryptographic keys over an unsecured communication channel. To Generate a new strong set DH parameters by typing the following command:

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Now, we need to edit Nginx configuration file by typing:

sudo nano /etc/nginx/nginx.conf

Append the following code line inside server blocks:

ssl_dhparam /etc/ssl/certs/dhparam.pem;

Next, we will check Nginx syntax to check everything is going correct:

sudo nginx -t

If there is no problem in syntax reload Nginx configuration file

sudo systemctl reload nginx

Auto Renew Let’s Encrypt SSL Certificates#

Let’s Encrypt SSL certificates have short-life period of 90 days so you need to renew it before it expire. You can renew SSL certificate by type:

sudo certbot renew

To automatically renew the certificates before they expire, we will create a cronjob which will run twice a day and will automatically renew any certificate 30 days before its expiration.

Enter the following command to open crontab:

sudo crontab -e

Now append the below line at end of file. It will run the command twice a day and renews if the certificate is about to expire.

0 */12 * * * /usr/bin/certbot renew >> /var/log/le-renew.log

Save and close the file. You can check renewal process by type :

sudo certbot renew --dry-run

If there are no errors, it means that the test renewal process was successful.

Conclusion#

In this tutorial, you learned how to install certbot client, obtain Let’s Encrypt SSL certificate and configured to Nginx to use the certificates. At last, you have set up a cronjob for automatic certificate renewal.

If you want to know more about how to use Certbot, their documentation is a good starting point.