How to Secure Nginx with Let’s Encrypt SSL on RHEL / CentOS 7
In this tutorial, we are going to setup Let’s Encrypt SSL (free SSL) on CentOS / RHEL 7 server running Nginx webserver. Let’s get started:
Table of Contents
- Install Certbot Client
- Config Firewall
- Generate SSL Certificate
- Setup Auto-renewal
- Check Certificate Status
- Delete Certbot Certificate
Install Certbot Client
To install Certbot client, we’ve to add EPEL reposiory on our server:
sudo yum install epel-release
Now run this command to install Certbot with necessary packages:
sudo yum install httpd mod_ssl python-certbot-nginx
Confirm the installation by typing this command:
certbot --version
Config Firewall
If firewall is running on your server, you’ve to open HTTPS (443) port. If your system is running firewalld, run these commands:
# open 443 port
sudo firewall-cmd --zone=public --permanent --add-service=https
# reload firewall
sudo firewall-cmd --reload
If your system is running iptables, then run these commands:
sudo iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT
Generate SSL Certificate
We have the necessary modules to generate Let’s Encrypt SSL. To generate certificate for a single domain, run this command:
certbot --nginx -d example.com
To generate SSL for multiple domains or subdomains, run this command:
certbot --nginx -d example.com -d www.example.com
Here, example.com is the base domain.
You can also generate an SSL certificate by choosing a domain name. To do this, run this command to show all hosted domains:
certbot --nginx
Choose one option and run that command what you needed. After successful installation, you will see a message similar to this message:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2019-10-24. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Setup Auto-renewal
We know that Let’s Encrypt certificates are valid for 90 days. But we can renew the certificates very easily. Just run this command before the expiration date:
certbot renew
We can also setup a cronjob to renew automatically. Open the cronjob:
crontab -e
Then add this line:
0 0 * * 1 /usr/bin/certbot renew >> /var/log/sslrenew.log
Check Certificate Status
We have successfully installed Let’s Encrypt SSL. Now let’s check the status of the SSL certificate by visiting this URL:
https://www.ssllabs.com/ssltest/analyze.html?d=example.com
Delete Certbot Certificate
To delete the certificate we have to run this command:
# to select domain name
certbot delete
# directly assign domain name
certbot delete --cert-name example.com
The article is over. Thanks for reading.
Md Obydullah
Software Engineer | Ethical Hacker & Cybersecurity...
Md Obydullah is a software engineer and full stack developer specialist at Laravel, Django, Vue.js, Node.js, Android, Linux Server, and Ethichal Hacking.