Secure Nginx with Let's Encrypt on CentOS 7 - How to do it ?

Let's Encrypt is a new Certificate Authority (CA). They provides a simple way to obtain, validate, install and renew free TLS/SSL certificates.

Here at LinuxAPT, as part of our Server Management Services, we regularly help our Customers to perform related Nginx queries.

In this context, we shall look into how to obtain and install free SSL certificate and Secure Nginx with Let's Encrypt on CentOS 7 server. 

How to Install Let's Encrypt on CentOS ?

Before proceeding with this Installation procedure, ensure that the following prerequisites are met:

A CentOS system logged in with a non-root user with sudo privileges.

Nginx must installed and configured, as shown in this Guide.

Have a Nginx server block for your domain, as shown in this Guide.

Your domain name should pointing to your server IP address.

Then, follow the steps given below.

1. Install Certbot Client

Certbot client package is easy and useful tool for obtain and renew Let's Encrypt SSL certificates and configure to web servers. We will install certbot package from EPEL reposiory so we will first enable EPEL reposiory.

Execute below command to add EPEL reposiory:

$ sudo yum install epel-release

Now, We will install Certbot client package to CentOS server to obtain a Let's Encrypt SSL certificate:

$ sudo yum install certbot-nginx

You can verify that certbot is installed successfully or not by typing:

$ certbot --version

2. Adjust Firewall

If your system is secured by firewall then your firewall should allow HHTPS traffic to configure SSL certificate. So you need to adjust firewall rule to allow HTTPS traffic. If you are not running a firewall, you can skip ahead:

$ sudo firewall-cmd --add-service=http
$ sudo firewall-cmd --add-service=https
$ sudo firewall-cmd --runtime-to-permanent

If your system is running iptables then you can run following basic commands to enable traffic on port 80 and port 443:

$ sudo iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
$ sudo iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT

3. Obtain a Let's Encrypt SSL on Nginx

There are multiple ways to obtain Let’s Encrypt SSL certificates. In this guide, we will use certbot client to obtain a SSL certificate:

$ sudo certbot --nginx -d -d

Using above command, we are requesting for domain and If you are installing certificate first time then it will ask you enter email address and agree terms and conditions. Entered email address will be used for sending email alerts related to SSL renewal and expiration.

After the above step, Certbot will ask you to configure HTTPS settings:

Please choose whether HTTPS access is required or optional.
1: Easy - Allow both HTTP and HTTPS access to these sites
2: Secure - Make all requests redirect to secure HTTPS access
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
Select your choice and hit Enter to go ahead. It's recommend you to choose Secure option if you don’t want to change the configuration file manually.

At last, If the SSL certificate is successfully obtained, certbot will print the following message:

 Congratulations! Your certificate and chain have been saved at:
 Your key file has been saved at:
 Your cert will expire on 2019-06-11. To obtain a new or tweaked
 version of this certificate in the future, simply run certbot
 again. To non-interactively renew all of your certificates, run
 "certbot renew"
 If you like Certbot, please consider supporting our work by:
 Donating to ISRG / Let's Encrypt:
 Donating to EFF:          

4. Generate Strong Diffie-Hellman Parameters

Diffie–Hellman key exchange (DH) method is used to securely exchanging cryptographic keys over an unsecured communication channel. 

To Generate a new strong set DH parameters by typing the following command:

$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Now, we need to edit Nginx configuration file by typing:

$ sudo nano /etc/nginx/nginx.conf

Append the following code line inside server blocks:

ssl_dhparam /etc/ssl/certs/dhparam.pem;

Next, we will check Nginx syntax to check everything is going correct:

$ sudo nginx -t

If there is no problem in syntax reload Nginx configuration file

$ sudo systemctl reload nginx

How to Auto Renew Let's Encrypt SSL Certificates ?

Let's Encrypt SSL certificates have short-life period of 90 days so you need to renew it before it expire. 

You can renew SSL certificate by type:

$ sudo certbot renew

To automatically renew the certificates before they expire, we will create a cronjob which will run twice a day and will automatically renew any certificate 30 days before its expiration.

Enter the following command to open crontab:

$ sudo crontab -e

Now append the below line at end of file. It will run the command twice a day and renews if the certificate is about to expire:

0 */12 * * * /usr/bin/certbot renew >> /var/log/le-renew.log

Save and close the file. You can check renewal process by type :

$ sudo certbot renew --dry-run

If there are no errors, it means that the test renewal process was successful.

[Need urgent assistance in fixing Nginx errors? We can help you. ]

This article covers how to use the certbot Let’s Encrypt client to obtain a free SSL certificate and use it with Nginx on CentOS 7. 

Let's Encrypt is a new Certificate Authority (CA) that provides an easy way to obtain and install free TLS/SSL certificates, thereby enabling encrypted HTTPS on web servers. It simplifies the process by providing a software client, Certbot, that attempts to automate most (if not all) of the required steps. 

Currently, the entire process of obtaining and installing a certificate is fully automated on both Apache and Nginx web servers.

To Install the Certbot Let's Encrypt Client:

1. Enable access to the EPEL repository on your server by typing:

$ sudo yum install epel-release

2. Once the repository has been enabled, you can obtain the certbot-nginx package by typing:

$ sudo yum install certbot-nginx

How to Install Nginx on CentOS ?

1. To install Nginx, run the command:

$ sudo yum install nginx

2. Then, start Nginx using systemctl:

$ sudo systemctl start nginx

How to configure firewall on CentOS ?

If you have a firewall enabled, make sure port 80 and 443 are open to incoming traffic.

1. If you have a firewalld firewall running, you can open these ports by typing:

$ sudo firewall-cmd --add-service=http
$ sudo firewall-cmd --add-service=https
$ sudo firewall-cmd --runtime-to-permanent

2. If have an iptables firewall running, the commands you need to run are highly dependent on your current rule set. For a basic rule set, you can add HTTP and HTTPS access by typing:

$ sudo iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
$ sudo iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT

Related Posts