Knowledgebase: Support > Linux
Installing And Securing NGINX With Let’s Encrypt On CentOS 7
Posted by Daniel Naval on 11 May 2019 06:27 PM

What is Let’s Encrypt?

It is a new Certificate Authority (CA) that gives website owners or developers an easy way to get and install a free TLS/SSL Certificate. That means, enabling HTTPS Protocol on web servers. This method has been simplified that a software has been provided to automate the process of the entire installation on Apache and NGINX Web Servers. To know more about Let’s Encrypt, you may visit this this LINK.

In this guide, we will be installing Let’s Encrypt using certbot, the Let’s Encrypt client to get a free SSL certificate that we will be using to enable HTTPS on NGINX running on CentOS 7 environment. After this, we will also be setting up the Auto-Renewal of your SSL certificate.

Requirements:
1. CentOS 7
2. Sudo privileges
3. Access and control on your own registered domain

 

Installing the Certbot Client

First step is to install the Certbot client on your server and currently, the best way is using the EPEL Repository.
Typing the command below will let you access the EPEL Repository:

yum -y install epel-release

Once the EPEL Repository has been installed and enabled, you can install the certbot-nginx package using the command below:

yum -y install certbot-nginx

After this, you may now configure the NGINX.

 

Setting Up NGINX

Assuming you already have your NGINX, Certbot will automatically configure the SSL on NGINX but needs to find the server block for your default NGINX Configuration. The Certbot will be looking for the “server_name” parameter from the configuration that will match the domain that you are requesting the certificate for. The configuration file will be “/etc/nginx/nginx.conf”.
You may update the configuration file by entering the command below:

vi /etc/nginx/nginx.conf

Find the parameter for server_name:

server_name _;

Then replace the underscore with:

server_name yourdomain.com www.yourdomain.com;

Save and close the file.

Run the NGINX test to verify the configuration update and check if error shows:

nginx -t

Restart the NGINX once done:

systemctl restart nginx

If you don’t have the NGINX installed yet, please refer to this article for Installing NGINX.

 

Configuring Firewall

Once the Certbot is installed and configured on NGINX, you need to make sure that you configure the Firewall for it to allow incoming traffic on Ports 80 (HTTP) and 443 (HTTPS).

For “iptables” running on your system, your commands will depend on your current rule set. In this guide, we are using the basic configuration setup. Here’s the commands:

iptables -I INPUT -p tcp -m tcp - -dport 80 -j ACCEPT
iptables -I INPUT -p tcp -m tcp - -dport 443 -j ACCEPT

For “firewalld” running on your system, you may use the commands below:

firewall-cmd --add-service =http
firewall-cmd --add-service=https
firewall-cmd --runtime-to-permanent

Alright! Once everything is configured correctly, we can now execute our Certbot to get our free certificates.

 

Getting The SSL Certificate

Since we are using NGINX Web Server in this guide, the Certbot will use the NGINX plugin that will be doing the configuring and reloading of the NGINX configurations for you. To proceed, you can use the command below:

certbot --nginx -d yourdomain.com -d www.yourdomain.com

This command will run the Certbot NGINX Plugin with the “-d” option to specify the domain you wish to install the SSL Certificate.
For the initial run of your Certbot, you will be asked for an email address and shows a Terms of Service that you can agree on. Once you are done with that, the application will be connecting to Let’s Encrypt server and you will be given a challenge to verify that you own the domain.

Then you will be given 2 options on how you would like your HTTPS to be configured. Just select your choice and hit enter.
The configuration will be updated, NGINX will be reloaded and the new settings will be installed. After you have completed, the Certbot will be showing a message that your SSL Certificate has been installed and gives you the location where your certificates are stored.

You may now try to reload your website with HTTPS protocol and see your browser show the padlock from the address bar that confirms it has been successful.

 

Configuring Auto Renewal

These Let’s Encrypt certificates are only valid for 90 days as it is free. But there is an option for you to configure it for an auto renewal. You will be using “cron” to schedule the command to initiate the check and renew the certificates. To open and edit the “cron”, you may use the command below:

crontab -e

Once the file is opened, you may copy the script below and paste on your cron:

30 1 * * 1 /usr/bin/certbot renew --nginx
35 1 * * 1 /etc/init.d/nginx reload

This cron job will run the auto renew every Monday at 1:30 AM and reloads the NGINX service at 1:35 AM.