Menu

Secure Nginx with Let’s Encrypt on CentOS 8

Written by , Updated On April 23, 2020
, , , ,
Secure Nginx with Let's Encrypt on CentOS 8

In this tutorial you will learn step by step instruction to install a free Let’s Encrypt SSL certificate on CentOS 8 running Nginx as a web server.

Let’s Encrypt is a free, automated, and open certificate authority that provides TLS encryption for websites free of cost. This certificate enables encrypted connections to HTTP servers using the HTTPS protocol in a easier and hassle-free manner without any complexities. Certificates issued by Let’s Encrypt are trusted by all major browsers and valid for 90 days from the issue date.

Prerequisites

  • A CentOS system logged in with a non-root user with sudo privileges.
  • Nginx must installed and configured, as shown in this tutorial.
  • Have a Nginx server block for your domain, as shown in this tutorial.
  • Your domain name should pointing to your server IP address.
  • Your firewall is configured to accept connections on ports 80 and 443

Step 1. Install Certbot in CentOS 8

Certbot client package is a free command-line tool that useful for obtain and renew Let’s Encrypt SSL certificates and configure to web servers.

By default, certbot package is not included in the standard CentOS 8 repositories. We will download it from the vendor’s website.

Download Certbot using wget command as root or sudo user at /usr/local/bin directory:

sudo wget -P /usr/local/bin https://dl.eff.org/certbot-auto

After completion of download, make that file executable by typing:

sudo chmod +x /usr/local/bin/certbot-auto

Step 2. Configure Nginx Server Block

Nginx server block is the equivalent of a virtual host in Apache. By setting up of server blocks it allows you to set up multiple websites on single server and also allows certbot to verify the ownership of the domain to Certificate Authority – CA.

sudo vim /etc/nginx/conf.d/example.com.conf

Make sure to replace the example.com.conf domain name with your own domain name. Add the following line to file:

server {
   server_name example.com;
   root /opt/nginx/example.com;

   location / {
       index index.html index.htm index.php;
   }

   access_log /var/log/nginx/example.com.access.log;
   error_log /var/log/nginx/example.com.error.log;

   location ~ \.php$ {
      include /etc/nginx/fastcgi_params;
      fastcgi_pass 127.0.0.1:9000;
      fastcgi_index index.php;
      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
   }
}

Save the close the file.

Step 3: Obtain a certificate for domain

Now run the certbot tool to obtain the SSL certificate files for your domain:

sudo /usr/local/bin/certbot-auto --nginx -d example.com -d www.example.com

If this the first time you invoke certbot, the tool will install the missing dependencies. After that it will prompt to enter email and other few details. If everything is well it will show successfully obtained message at the end.

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2020-07-22. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

That’s it! Your website have Let’s Encrypt certificate and encrypted. You can check it by opening your site using https:// in web browser. You will see a green padlock symbol before your web url.

Step 4. Renewing the Let’s Encrypt Certificate

As we mention earlier, the security certificate is only valid for a duration of 90 days only. To automatically renew the certificates before they expire, we will create a cronjob that will run twice a day and automatically renew any certificate 30 days before expiration.

Use the crontab command to create a new cronjob:

sudo crontab -e

Append the following line:

0 */12 * * * root test -x /usr/local/bin/certbot-auto -a ! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && /usr/local/bin/certbot-auto -q renew --renew-hook "systemctl reload nginx"

Save and close the file. You can check renewal process by type :

sudo /usr/local/bin/certbot-auto renew --dry-run

The renewal process was successful if there are no errors.

Conclusion

In this tutorial, you learned how to install certbot client, obtain Let’s Encrypt SSL certificate and configured to Nginx on CentOS 8. At last, you have set up a cronjob for automatic certificate renewal.

To know more about how to use Certbot, their documentation is a good starting point.

If you hit any problem or have suggestion, please comment below.

If our content helps you, please consider buying us a coffee

Thank you for your support.

Related Posts

Leave a Reply

© 2020 TecNStuff All rights reserved. This website is using and storing cookies on your browser. By using this website you agree our Privacy Policy.  Follow us -  Twitter | Facebook