How to Secure Nginx with Let’s Encrypt SSL on RHEL / CentOS 7

  • Apr 06, 2020
  • Article · 3 min
  • 691 words

In this tutorial, we are going to setup Let’s Encrypt SSL (free SSL) on CentOS / RHEL 7 server running Nginx webserver. Let’s get started:

Table of Contents

  1. Install Certbot Client
  2. Config Firewall
  3. Generate SSL Certificate
  4. Setup Auto-renewal
  5. Check Certificate Status
  6. Delete Certbot Certificate

Install Certbot Client

To install Certbot client, we’ve to add EPEL reposiory on our server:

sudo yum install epel-release

Now run this command to install Certbot with necessary packages:

sudo yum install httpd mod_ssl python-certbot-nginx

Confirm the installation by typing this command:

certbot --version

Config Firewall

If firewall is running on your server, you’ve to open HTTPS (443) port. If your system is running firewalld, run these commands:

# open 443 port
sudo firewall-cmd --zone=public --permanent --add-service=https
# reload firewall
sudo firewall-cmd --reload

If your system is running iptables, then run these commands:

sudo iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT

Generate SSL Certificate

We have the necessary modules to generate Let’s Encrypt SSL. To generate certificate for a single domain, run this command:

certbot --nginx -d example.com

To generate SSL for multiple domains or subdomains, run this command:

certbot --nginx -d example.com -d www.example.com

Here, example.com is the base domain.

You can also generate an SSL certificate by choosing a domain name. To do this, run this command to show all hosted domains:

certbot --nginx

Choose one option and run that command what you needed. After successful installation, you will see a message similar to this message:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2019-10-24. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Setup Auto-renewal

We know that Let’s Encrypt certificates are valid for 90 days. But we can renew the certificates very easily. Just run this command before the expiration date:

certbot renew

We can also setup a cronjob to renew automatically. Open the cronjob:

crontab -e

Then add this line:

0 0 * * 1 /usr/bin/certbot renew >> /var/log/sslrenew.log

Check Certificate Status

We have successfully installed Let’s Encrypt SSL. Now let’s check the status of the SSL certificate by visiting this URL:

https://www.ssllabs.com/ssltest/analyze.html?d=example.com

Delete Certbot Certificate

To delete the certificate we have to run this command:

# to select domain name
certbot delete

# directly assign domain name
certbot delete --cert-name example.com

The article is over. Thanks for reading.

Linux Server RHEL CentOS AlmaLinux

Software Engineer | Ethical Hacker & Cybersecurity...

Md Obydullah is a software engineer and full stack developer specialist at Laravel, Django, Vue.js, Node.js, Android, Linux Server, and Ethichal Hacking.

Random Stories

Laravel 10 How to use FullCalender with Events and Links

article

Laravel 10 - How to Download File in Laravel

article

Laravel How to Create Custom Helper Functions in Laravel

article

How to Remove Null Values From Multidimensional Array In PHP

article

React Props and State and the Difference Between Them

article