
In this tutorial you will learn step by step instruction to install a free Let’s Encrypt SSL certificate on CentOS 8 running Nginx as a web server.
Let’s Encrypt is a free, automated, and open certificate authority that provides TLS encryption for websites free of cost. This certificate enables encrypted connections to HTTP servers using the HTTPS protocol in a easier and hassle-free manner without any complexities. Certificates issued by Let’s Encrypt are trusted by all major browsers and valid for 90
days from the issue date.
Prerequisites
- A CentOS system logged in with a non-root user with sudo privileges.
- Nginx must installed and configured, as shown in this tutorial.
- Have a Nginx server block for your domain, as shown in this tutorial.
- Your domain name should pointing to your server
IP address
. - Your firewall is configured to accept connections on ports
80
and443
Step 1. Install Certbot in CentOS 8
Certbot client package is a free command-line tool that useful for obtain and renew Let’s Encrypt SSL certificates and configure to web servers.
By default, certbot package is not included in the standard CentOS 8 repositories. We will download it from the vendor’s website.
Download Certbot using wget command as root or sudo user at /usr/local/bin
directory:
sudo wget -P /usr/local/bin https://dl.eff.org/certbot-auto
After completion of download, make that file executable by typing:
sudo chmod +x /usr/local/bin/certbot-auto
Step 2. Configure Nginx Server Block
Nginx server block is the equivalent of a virtual host in Apache. By setting up of server blocks it allows you to set up multiple websites on single server and also allows certbot to verify the ownership of the domain to Certificate Authority – CA.
sudo vim /etc/nginx/conf.d/example.com.conf
Make sure to replace the example.com.conf
domain name with your own domain name. Add the following line to file:
server {
server_name example.com;
root /opt/nginx/example.com;
location / {
index index.html index.htm index.php;
}
access_log /var/log/nginx/example.com.access.log;
error_log /var/log/nginx/example.com.error.log;
location ~ \.php$ {
include /etc/nginx/fastcgi_params;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
}
Save the close the file.
Step 3: Obtain a certificate for domain
Now run the certbot tool to obtain the SSL certificate files for your domain:
sudo /usr/local/bin/certbot-auto --nginx -d example.com -d www.example.com
If this the first time you invoke certbot
, the tool will install the missing dependencies. After that it will prompt to enter email and other few details. If everything is well it will show successfully obtained message at the end.
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2020-07-22. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
That’s it! Your website have Let’s Encrypt certificate and encrypted. You can check it by opening your site using https://
in web browser. You will see a green padlock symbol before your web url.
Step 4. Renewing the Let’s Encrypt Certificate
As we mention earlier, the security certificate is only valid for a duration of 90
days only. To automatically renew the certificates before they expire, we will create a cronjob that will run twice a day and automatically renew any certificate 30
days before expiration.
Use the crontab
command to create a new cronjob
:
sudo crontab -e
Append the following line:
0 */12 * * * root test -x /usr/local/bin/certbot-auto -a ! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && /usr/local/bin/certbot-auto -q renew --renew-hook "systemctl reload nginx"
Save and close the file. You can check renewal process by type :
sudo /usr/local/bin/certbot-auto renew --dry-run
The renewal process was successful if there are no errors.
Conclusion
In this tutorial, you learned how to install certbot client, obtain Let’s Encrypt SSL certificate and configured to Nginx on CentOS 8. At last, you have set up a cronjob for automatic certificate renewal.
To know more about how to use Certbot, their documentation is a good starting point.
If you hit any problem or have suggestion, please comment below.
Leave a Reply