Installing And Securing NGINX With Let’s Encrypt On CentOS 7
Posted by Daniel Naval on 11 May 2019 06:27 PM
What is Let’s Encrypt?
It is a new Certificate Authority (CA) that gives website owners or developers an easy way to get and install a free TLS/SSL Certificate. That means, enabling HTTPS Protocol on web servers. This method has been simplified that a software has been provided to automate the process of the entire installation on Apache and NGINX Web Servers. To know more about Let’s Encrypt, you may visit this this LINK.
In this guide, we will be installing Let’s Encrypt using certbot, the Let’s Encrypt client to get a free SSL certificate that we will be using to enable HTTPS on NGINX running on CentOS 7 environment. After this, we will also be setting up the Auto-Renewal of your SSL certificate.
Installing the Certbot Client
First step is to install the Certbot client on your server and currently, the best way is using the EPEL Repository.
yum -y install epel-release
Once the EPEL Repository has been installed and enabled, you can install the certbot-nginx package using the command below:
yum -y install certbot-nginx
After this, you may now configure the NGINX.
Setting Up NGINX
Assuming you already have your NGINX, Certbot will automatically configure the SSL on NGINX but needs to find the server block for your default NGINX Configuration. The Certbot will be looking for the “server_name” parameter from the configuration that will match the domain that you are requesting the certificate for. The configuration file will be “/etc/nginx/nginx.conf”.
Find the parameter for server_name:
Then replace the underscore with:
server_name yourdomain.com www.yourdomain.com;
Save and close the file.
Run the NGINX test to verify the configuration update and check if error shows:
Restart the NGINX once done:
systemctl restart nginx
If you don’t have the NGINX installed yet, please refer to this article for Installing NGINX.
Once the Certbot is installed and configured on NGINX, you need to make sure that you configure the Firewall for it to allow incoming traffic on Ports 80 (HTTP) and 443 (HTTPS).
For “iptables” running on your system, your commands will depend on your current rule set. In this guide, we are using the basic configuration setup. Here’s the commands:
iptables -I INPUT -p tcp -m tcp - -dport 80 -j ACCEPT iptables -I INPUT -p tcp -m tcp - -dport 443 -j ACCEPT
For “firewalld” running on your system, you may use the commands below:
firewall-cmd --add-service =http firewall-cmd --add-service=https firewall-cmd --runtime-to-permanent
Alright! Once everything is configured correctly, we can now execute our Certbot to get our free certificates.
Getting The SSL Certificate
Since we are using NGINX Web Server in this guide, the Certbot will use the NGINX plugin that will be doing the configuring and reloading of the NGINX configurations for you. To proceed, you can use the command below:
certbot --nginx -d yourdomain.com -d www.yourdomain.com
This command will run the Certbot NGINX Plugin with the “-d” option to specify the domain you wish to install the SSL Certificate.
Then you will be given 2 options on how you would like your HTTPS to be configured. Just select your choice and hit enter.
You may now try to reload your website with HTTPS protocol and see your browser show the padlock from the address bar that confirms it has been successful.
Configuring Auto Renewal
These Let’s Encrypt certificates are only valid for 90 days as it is free. But there is an option for you to configure it for an auto renewal. You will be using “cron” to schedule the command to initiate the check and renew the certificates. To open and edit the “cron”, you may use the command below:
Once the file is opened, you may copy the script below and paste on your cron:
30 1 * * 1 /usr/bin/certbot renew --nginx 35 1 * * 1 /etc/init.d/nginx reload
This cron job will run the auto renew every Monday at 1:30 AM and reloads the NGINX service at 1:35 AM.