Web Servers

How To Secure Nginx Web Server With Let’s Encrypt on CentOS

In this article, we will learn how to secure Nginx web server with Let’s Encrypt on CentOS.

Let’s Encrypt is a Certificate Authority (CA) that provides SSL/TLS encryption at no charges and the certificate is valid for 90 days, duing which renewal can take place at any time. In order to get a certificate for your website’s domain from Let’s Encrypt, you have to demonstrate control over the domain. We recommend that to use the Certbot client. It can automate certificate issuance and installation with no downtime. It’s easy to use, works on many operating systems.

Prerequisites

A CentOS 7 and Nginx installed dedicated server or cloud server with root or non-root access (for non-root, use “sudo”).
Registered domain that you wish to get the certificate.
A DNS A record that points your domain to the public IP address of the server.

1. Install EPEL repository:

# yum install epel-release -y

2. Next, install certbot-nginx package:

# yum install certbot-nginx -y

The certbot Let’s Encrypt client is now installed and ready to use.

3. Obtaining a Certificate

Obtain a certificate using certbot command. The Nginx plugin will take care of reconfiguring Nginx and reloading the config.

# certbot --nginx -d yoursite.com -d www.yousite.com

By running certbot first time, you will be prompted to enter an email address and agree to the terms of service. Next, certbot will communicate with Let’s Encrypt server.
After the successful verification, certbot will ask how you’d like to configure your HTTPS settings:

Output
Please choose whether HTTPS access is required or optional.
-------------------------------------------------------------------------------
1: Easy - Allow both HTTP and HTTPS access to these sites
2: Secure - Make all requests redirect to secure HTTPS access
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel):

Use any option as per your requirement and hit enter.

That’s it, following message telling you that the process was successfully done and certificate are stored.

Output
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/yousite.com/fullchain.pem. Your cert will
expire on 2020-08-03. To obtain a new or tweaked version of this
certificate in the future, simply run certbot again with the
“certonly” option. To non-interactively renew *all* of your
certificates, run “certbot renew”
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

Try to reload you website using https://

4. Set up cron for auto renewal:

Let’s Encrypt’s certificates are only valid for ninety days. Cron will check for expiring certificate and renew them automatically.

Run following command to edit crontab file.

# crontab -e

Your text editor will open the default crontab. Paste in the following line, then save and close it:

15 3 * * * /usr/bin/certbot renew --quiet

The 15 3 * * * part of this line means “run the following command at 3:15 am, every day”. You may choose any time.

Now, cron will run this command daily and renew automatically all certificates that are installed.

In this article, we have learnt how our support engineers secure Nginx Web server with Let’s Encrypt on CentOS.

[Need assistance to fix this error or install tools? We’ll help you.]

Related Articles