How to use Let's Encrypt to protect Nginx on CentOS 8
Let's Encrypt is a free, automatic, and open source certificate provider developed by the Internet Security Research Group (ISRG).
The certificate issued by Let's Encrypt is trusted by all major browsers and is valid for 90 days from the date of issuance.
In this guide, we will provide step-by-step instructions on how to install a free Let's Encrypt SSL certificate on a CentOS 8 system running Nginx web browser. We will show how to configure Nginx to use SSL certificates and enable HTTP/2.
1. Prerequisites##
Before you start, make sure you meet the following prerequisites:
- You have a domain name that points to your public IP, we use
example.com. - You have installed Nginx on your CentOS server.
- Your firewall is configured to allow ports 80 and 443.
Two, install Certbot
Certbot is a free command line tool that simplifies the process of obtaining and refreshing Let's Encrypt, and automatically enables HTTPS on your server.
The certbot package is not included in the CentOS 8 standard software source repository, but it can be downloaded from the vendor's website.
As root or another user with sudo privileges, use wget to download the certbot script to the /usr/local/bin directory:
sudo wget -P /usr/local/bin https://dl.eff.org/certbot-auto
Once the download is complete, make the file executable:
sudo chmod +x /usr/local/bin/certbot-auto
Three, generate a strong Dh (Diffie-Hellman) group##
Diffie–Hellman key exchange (DH) is a method of securely exchanging secret keys on insecure communication channels.
Generate a 2048-bit DH parameter by entering the following command:
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
If you want, you can increase the length of the key to 4096 bits, but the generation process will take more than 30 minutes, depending on your system entropy.
Fourth, get Let's Encrypt SSL certificate##
To obtain a domain name SSL certificate, we will use the Webroot plug-in, which will create a temporary file in the ${webroot-path}/.well-known/acme-challenge directory for verifying the domain name that requested the certificate. The Let's Encrypt server will initiate an HTTP request to request this temporary file to verify that the requested domain name has pointed to the server running cerbot.
To make the process easier, we will map all HTTP requests for .well-known/acme-challenge to a directory, /var/lib/letsencrypt.
The following command will create a directory and write it to the Nginx server.
sudo mkdir -p /var/lib/letsencrypt/.well-known
sudo chgrp nginx /var/lib/letsencrypt
sudo chmod g+s /var/lib/letsencrypt
To avoid duplication of code, create the following two code snippets, which will be included in the Nginx server configuration block:
sudo mkdir /etc/nginx/snippets
/etc/nginx/snippets/letsencrypt.conf
location ^~/.well-known/acme-challenge/{
allow all;
root /var/lib/letsencrypt/;
default_type "text/plain";
try_files $uri =404;}
/etc/nginx/snippets/ssl.conf
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.88.8.4.4 valid=300s;
resolver_timeout 30s;
add_header Strict-Transport-Security "max-age=63072000" always;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
The above code snippets containing encryption are recommended by Mozilla. OCSP Stapling, HTTP Strict Transport Security (HSTS) are enabled, and some security-related HTTP headers are mandatory.
Once these code snippets are created, open the domain name server configuration block in the letsencrypt.conf file, like this:
server {
listen 80;
server_name example.com www.example.com;
include snippets/letsencrypt.conf;}
Reload the Nginx configuration to make the changes take effect:
sudo systemctl reload nginx
Run the cert and webroot plugins to obtain the SSL certificate of the domain name:
sudo /usr/local/bin/certbot-auto certonly --agree-tos --email [email protected] --webroot -w /var/lib/letsencrypt/-d example.com -d www.example.com
When you run certbot for the first time, this tool will install some missing dependencies.
Once the SSL certificate is successfully installed, certbot will print the following information:
IMPORTANT NOTES:- Congratulations! Your certificate and chain have been saved at:/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2020-03-12. To obtain a newor tweaked
version ofthis certificate in the future, simply run certbot-auto
again. To non-interactively renew *all*of your certificates, run
" certbot-auto renew"- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Now that you have the certificate, you can edit your domain name server code block as follows:
/etc/nginx/conf.d/example.com.conf
server {
listen 80;
server_name www.example.com example.com;
include snippets/letsencrypt.conf;return301 https://$host$request_uri;}
server {
listen 443 ssl http2;
server_name www.example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
include snippets/ssl.conf;
include snippets/letsencrypt.conf;return301 https://example.com$request_uri;}
server {
listen 443 ssl http2;
server_name example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
include snippets/ssl.conf;
include snippets/letsencrypt.conf;
# ... other code
}
Through the above configuration, we force the use of HTTPS and switch the www to the non-www version.
Finally, reload the Nginx service to make the modification effective:
sudo systemctl reload nginx
Now, open your website with https:// and you will see a green lock icon.
If you use the SSL Labs Server Test website to test your domain name, you will get an A+ grade, just like the image below:
5. Automatic refresh of Let's Encrypt SSL certificate##
Let's Encrypt's certificate is valid for 90 days. To automatically refresh the certificate before the certificate expires, create a cornjob, run it twice a day, and automatically refresh any domain name certificates that are about 30 days before the expiration date.
Use the corntab command to create a new cronjob:
sudo crontab -e
Paste the following content:
0* /12*** root test -x /usr/local/bin/certbot-auto -a \!-d /run/systemd/system && perl -e 'sleep int(rand(3600))'&&/usr/local/bin/certbot-auto -q renew --renew-hook "systemctl reload nginx"
Save and close the file.
To test the refresh process, you can use the certbot command, plus --dry-run:
sudo certbot renew --dry-run
If there are no errors, it means that the refresh process runs successfully.
Six, summary##
In this article, we showed you how to use the Let's Encrypt client certbot to download an SSL certificate for your domain name. We also create Nginx code snippets to avoid duplication of code, and configure Nginx to use certificates. At the end of the article, we created a cronjob to refresh the certificate periodically.
To learn more about Certbot, please visit: https://certbot.eff.org/docs/
Recommended Posts