How to Setup Let’s Encrypt SSL Certificate With Nginx on CentOS 7

Let’s Encrypt is a certificate authority that provides free SSL certificates for websites to enable TLS encryption and supports automated certification issuance for websites use Apache, Nginx, Plex, and Haproxy of the web server.

Prerequisites

  • make sure you are logged in as a user with sudo privileges.
  • Make sure you can connect to the internet.
  • You should have LEMP stack configured on your CentOS Linux system.

Step 1. Install Certbot

Certbot is an easy-to-use tool that automates the task of getting and updating Let’s encrypted SSL certificates and configuring the web server to use them.

Certbot is available on EPEL repository for CentOS 7,typing the follow command:

sudo yum install -y certbot python2-certbot-nginx

Step 2.Create Virtualhost

Now We will create a virtual host (server block) configuration file for the domain www.linuxhowto.info.

The following command will create a directory,a conf file and make it available to the Nginx server.

sudo mkdir -p /opt/www/www.linuxhowto.info
sudo vi /etc/nginx/conf.d/www.linuxhow.info.conf

Use the below information.

server {
   server_name linuxhowto.info www.linuxhowto.info;
   root /opt/www/www.linuxhowto.info;

   location / {
       index index.html index.htm index.php;
   }

   access_log /var/log/nginx/www.linuxhowto.info.access.log;
   error_log /var/log/nginx/www.linuxhowto.info.error.log;

   location ~ \.php$ {
      include /etc/nginx/fastcgi_params;
      fastcgi_pass 127.0.0.1:9000;
      fastcgi_index index.php;
      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
   }
}

Change the permission of the directory /opt/www/www.linuxhowto.info.

sudo chown -R nginx: /opt/www/www.linuxhowto.info

Place or create the test HTML file in the document root of your web domain /opt/www/www.linuxhowto.info.

sudo echo "Hello world! This is my site @ www.linuxhowto.info" > /opt/www/www.linuxhowto.info/index.html

Reload the Nginx configuration for the changes to take effect:

sudo systemctl restart nginx

Step 3 .Create or Update DNS Record

Access your DNS management tool or Domain registrar and create an A/CNAME record for the domain. Ex: www.linuxhowto.info.

Wait for some time to let the record propagate.

Check the DNS propagation with nslookup command.

nslookup www.linuxhowto.info

Step 4 .Install Let’s Encrypt Certificate

Use the certbot command to create and install Let’s Encrypt certificate.type the following command:

sudo certbot --nginx

Next, you will be asked to enter a email address to receive renewal/security notification and so on. The whole interaction looks like this:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): [email protected]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: www.linuxhowto.info
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1 
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.linuxhowto.info
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/conf.d/www.linuxhowto.info.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2  << Redirect traffic from HTTP to HTTPS
Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/www.linuxhowto.info.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://www.linuxhowto.info

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=www.linuxhowto.info
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.linuxhowto.info/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.linuxhowto.info/privkey.pem
   Your cert will expire on 2019-11-02. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again with the "certonly" option. To non-interactively renew *all*
   of your certificates, run "certbot-auto renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

At this point , the installation of let’s Encrypt Certificate is complete.

Step 5. Configuring Nginx

We will now configure Nginx server to redirect the traffic comes for non-www HTTP site to the WW HTTPS site, I.e., http://linuxhowto.info or http://www.linuxhowto.info >> https://www.linuxhowto.info.

Open the /etc/nginx/conf.d/www.linuxhowto.info.conf file.

sudo vi /etc/nginx/conf.d/www.itzgeek.net.conf

Add the below information at the end of the file.

server {
		listen 80;
		server_name linuxhowto.info www.linuxhowto.info;
		
    if ($host = linuxhowto.info) {
        return 301 https://www.linuxhowto.info$request_uri;
    }
    if ($host = www.linuxhowto.info) {
        return 301 https://www.linuxhowto.info$request_uri;
    }
    
    return 404;
}

We test the correctness of the configuration file by the following command, the command is as follows:

sudo nginx -t

After testing the configuration file without any errors, let nginx reload the configuration file and take effect by the following command.

sudo systemctl reload nginx
or 
sudo nginx -s reload

At this point, the configuration of nginx is complete.

Step 6. Configuring the firewall

Configure the firewall to allow HTTPS requests.

sudo firewall-cmd --permanent --add-port=443/tcp
sudo firewall-cmd --reload

Step 7 . Verify Let’s Encrypt Certificate

Verify the Let’s Encrypt certificate details by going to HTTPS version of your website.

https://www.linuxhowto.info

Step 8 . Test SSL Certificate

Check your SSL certificate for any issues and its security ratings by going to the below URL.

https://www.ssllabs.com/ssltest/analyze.html?d=www.linuxhowto.info

Step 9 .Renew Let’s Encrypt Certificate

Let’s Encrypt certificate comes with a validity of 90 days, and it needs to be renewed before they expire.

echo "0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && /usr/local/bin/certbot-auto renew" | sudo tee -a /etc/crontab > /dev/null

You can also simulate the certificate renewal process with below command to ensure the renewal goes smooth.

sudo certbot renew --dry-run

Conclusion

That’s All. I hope you learned how to setup Let’s Encrypt SSL Certificate with Nginx on CentOS 7 . Share your feedback in the comments section.

Leave a Reply