Let’s Encrypt is a free Certificate Authority (CA) that provides TLS/SSL certificates, enabling you to secure your web servers with encrypted HTTPS connections. Certbot is a software client that automates the certificate acquisition and installation process. For both Apache and Nginx web servers, Certbot can fully automate obtaining and installing certificates.
This tutorial will guide you on obtaining a free SSL certificate using the Certbot Let’s Encrypt client with Nginx on CentOS 7. You will also learn how to set up automatic SSL certificate renewal.
Note: Throughout this tutorial, we will use www.example.com as a placeholder domain name. Please replace this with your actual domain.
Prerequisites
- A CentOS 7 server with a non-root user that has sudo privileges.
- A registered domain name for which you need to obtain an SSL certificate. If you don’t have one, Bluehoster offers domain registration services.
- A DNS “A” record that points your domain to the public IP address of your server. This is necessary for Let’s Encrypt to validate ownership of the domain.
- After you have met these requirements, you’re ready to install the Let’s Encrypt client.
How to Install SSL on Nginx Web Server?
Installing the Certbot Let’s Encrypt Client
To use Let’s Encrypt and obtain an SSL certificate, you need to install the Certbot software on your server. The EPEL repository provides a good method to install Certbot.
First, enable access to the EPEL repository with the following command:
sudo yum install epel-release
After enabling the repository, install the certbot-nginx package using:
sudo yum install certbot-nginx
Certbot is now installed and ready to be used.
Setting up Nginx
Installing Nginx is required for the next stage. Run the command below to install Nginx:
sudo yum install nginx
You can start Nginx with this command:
sudo systemctl start nginx
Certbot can automatically configure SSL for Nginx if the server block is configured correctly. The server_name directive must match the domain name for which you want a certificate. To edit the default Nginx configuration file, you can use `vi` or your preferred text editor:
sudo vi /etc/nginx/nginx.conf
Locate the server_name line:
server_name _;
Replace the underscore with your registered domain name:
server_name example.com www.example.com;
Save and close the file. In `vi`, type `:x` followed by `y` when prompted to save and quit.
Ensure your configuration changes have the correct syntax:
sudo nginx –t
If that command executes without errors, reload Nginx for the changes to take effect:
sudo systemctl reload nginx
Now, we need to allow HTTPS traffic on your website by updating the firewall.
Updating the Firewall
Before enabling the firewall, make sure ports 80 (HTTP) and 443 (HTTPS) are open to accept website traffic. Use the following commands:
sudo firewall-cmd --add-service=http
sudo firewall-cmd --add-service=https
sudo firewall-cmd --runtime-to-permanent
If you’re using an `iptables` firewall, the commands will depend on your current rule set. To add HTTP and HTTPS access to a basic rule set, use these commands:
sudo iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
sudo iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT
Now you’re ready to run Certbot and obtain your certificates.
Obtaining a Certificate
Certbot uses plugins to acquire SSL certificates in various ways. The Nginx plugin handles the SSL reconfiguration when needed. Use the following command to start the automated process:
sudo certbot --nginx -d example.com -d www.example.com
The -d flag specifies the domain names for which you want to validate the certificate using Certbot with the Nginx plugin.
When you run Certbot for the first time, you will be asked for your email address and to agree to the terms of service. Certbot will connect with Let’s Encrypt and run a challenge to verify your domain ownership. It will then reload Nginx with the updated configuration. Upon completion, Certbot will display a message showing where your certificates are located:
Output
IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/your_domain/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/your_domain/privkey.pem
Your certificate will expire on 2022-10-20. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again with the “certonly” option. To non-interactively
renew *all* of your certificates, run “certbot renew”
– If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let’s Encrypt:
https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Check your browser’s address bar for the SSL indicator. This icon confirms that your domain is secure.
Set Up Auto Renewal
Let’s Encrypt certificates are valid for 90 days. We highly recommend setting up automatic renewal using the following command:
sudo crontab –e
This will open your crontab file in a text editor. Paste the following line into the file, then save and close it:
Crontab
. . .
15 3 * * * /usr/bin/certbot renew --quiet
This will execute the Certbot renew command every day at 3:15 am. You can change the schedule as needed.
The Certbot renew command checks all installed certificates and renews them if they are expiring within 30 days. The --quiet option prevents Certbot from displaying output or waiting for user input.
Cron will now run the renewal command daily. Any expiring certificates will be automatically renewed and reloaded.
Securing your Nginx web server with a Let’s Encrypt certificate provides a safe web browsing experience for your visitors. If you have servers running CentOS 7 with Nginx, this guide should be followed. Setting up auto-renewal reduces technical maintenance considerably.
