Let’s Encrypt provides free TLS/SSL certificates to help you enable encrypted HTTPS on web servers with the help of a Certificate Authority (CA). Certbot provides a software client that attempts to automate most (if not all) of the required steps to streamline the process. Currently, both Apache and Nginx web servers automate the entire process of obtaining and installing certificates.
With the use of Nginx on CentOS 7, we will demonstrate how to obtain a free SSL certificate using the certbot Let’s Encrypt client. You will also learn how to automatically renew your SSL certificate.
Note: In this tutorial, we will be using www.example.com as a sample registered domain name.
- A non-root CentOS 7 server has sudo privileges.
- A registered domain on which you have to get SSL certificates installed. If it is not available, MilesWeb offers domain registration services of your choice.
- A DNS “A” Record pointing domain to the public IP address of servers. It is essential to have Let’s Encrypt. It validates the ownership of the registered domain.
- After having these prerequisites, it’s time to install the Let’s Encrypt client software.
How to Install SSL on Nginx Web Server?
Installing the Certbot Let’s Encrypt Client
First, for using Let’s Encrypt to obtain an SSL certificate, users need to install the certbot software on the server. EPEL repository is the best medium to install certbot.
Before that, enable its access to the EPEL repository by executing the following command.
sudo yum install epel-release
Once it is enabled, you can obtain the certbot-nginx package with the following command:
sudo yum install certbot-nginx
The certbot Let’s Encrypt is installed and now it is ready to use.
Setting up Nginx
Installing Nginx is required for the further process. Here is the following command to run on the terminal. It will install Nginx.
sudo yum install nginx
Nginx can be started from the following command line:
sudo systemctl start nginx
If your configuration contains the correct server block, Certbot can configure SSL automatically for Nginx. The server_name directive must match the domain name for which a certificate is requested. To update the default configuration file of Nginx when you’re starting, you can use vi or your favorite text editor:
sudo vi /etc/nginx/nginx.conf
Find the server name using the command.
Next, replace the underscore with the registered domain name.
server_name example.com www.example.com;
Close the text editor and save the file. While using vi text editor enter :x, then y when prompted to save and quit.
Save the file and quit your editor. If you are using vi, enter :x, then y when prompted, to save and quit. Make sure your configuration edits follow the following syntax:
sudo nginx –t
Reload Nginx to load new configurations if the above command runs without error. Use the
sudo systemctl reload nginx
Now, we will be updating the firewall to allow HTTPS traffic on the website.
Updating the Firewall
Before enabling the firewall, ensure HTTPS ports 80 and 443 are open to accept website traffic. Execute the following command to open these ports.
sudo firewall-cmd --add-service=http
sudo firewall-cmd --add-service=https
sudo firewall-cmd --runtime-to-permanent
If you are using an iptables firewall, the commands you need to run depend on your current rule set. Adding HTTP and HTTPS access to an initial rule set is as simple as typing:
sudo iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
sudo iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT
It’s time to run Certbot and fetch our certificates.
Obtaining a Certificate
With plugins, there are various ways in which Certbot provides SSL certificates. The Nginx plugin will look after the reconfiguration of the SSL part when required. Use the following command for reconfiguration.
sudo certbot --nginx -d example.com -d www.example.com
Using -d, we specify the names for which we wish to validate the certificate using certbot with the –nginx plugin.
Upon running certbot for the first time, you will be asked to enter an email address and agree to the terms of service. Certbot will then communicate with Let’s Encrypt, then run a challenge to verify that you are the owner of the domain. To pick up the new settings, Nginx will reload with the updated configuration. A message will appear once certbot has completed the process, telling you where your certificates are located:
– Congratulations! Your certificate and chain have been saved at:
Your key file has been saved at:
Your certificate will expire on 2022-10-20. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again with the “certonly” option. To non-interactively
renew *all* of your certificates, run “certbot renew”
– If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let’s Encrypt:
Donating to EFF: https://eff.org/donate-le
Set Up Auto Renewal
The Let’s Encrypt certificates are validated only for ninety days. We would recommend you set up an auto-renewal process with the following command.
sudo crontab –e
The default crontab file will be opened in your text editor. The following line should be pasted in, then saved and closed:
. . .
15 3 * /usr/bin/certbot renew –quiet
It means that the following command should be run every day at 3:15 am. It is up to you when you choose.
With the renew command for Certbot, all certificates installed on the system will be checked and updated if they expire within thirty days. The –quiet option instructs Certbot not to output information or wait for user input.
Cron will now run this command every day. In the event that a certificate expires in less than thirty days, it will be automatically renewed and reloaded.
Safeguarding Nginx web servers with Let’s Encrypt certificate gives a secured web browsing experience to clients. If you have servers with the CentOS 7 version and Nginx installed on them, this tutorial is a must to follow. Also, auto-renewal of SSL certificates reduces the technical burden.