How to Secure Nginx with Let’s Encrypt on CentOS 7?

Let’s Encrypt provides free TLS/SSL certificates to help you enable encrypted HTTPS on web servers with the help of a Certificate Authority (CA). Certbot provides a software client that attempts to automate most (if not all) of the required steps to streamline the process. Currently, both Apache and Nginx web servers automate the entire process of obtaining and installing certificates.

With the use of Nginx on CentOS 7, we will demonstrate how to obtain a free SSL certificate using the certbot Let’s Encrypt client. You will also learn how to automatically renew your SSL certificate.

Note: In this tutorial, we will be using www.example.com as a sample registered domain name.

Prerequisites

• A non-root CentOS 7 server has sudo privileges.
• A registered domain on which you have to get SSL certificates installed. If it is not available, MilesWeb offers domain registration services of your choice.
• A DNS “A” Record pointing domain to the public IP address of servers. It is essential to have Let’s Encrypt. It validates the ownership of the registered domain.
• After having these prerequisites, it’s time to install the Let’s Encrypt client software.

How to Install SSL on Nginx Web Server?

Installing the Certbot Let’s Encrypt Client

First, for using Let’s Encrypt to obtain an SSL certificate, users need to install the certbot software on the server. EPEL repository is the best medium to install certbot.

Before that, enable its access to the EPEL repository by executing the following command.

sudo yum install epel-release

Once it is enabled, you can obtain the certbot-nginx package with the following command:

sudo yum install certbot-nginx

The certbot Let’s Encrypt is installed and now it is ready to use.

Setting up Nginx

Installing Nginx is required for the further process. Here is the following command to run on the terminal. It will install Nginx.

sudo yum install nginx

Nginx can be started from the following command line:

sudo systemctl start nginx

If your configuration contains the correct server block, Certbot can configure SSL automatically for Nginx. The server_name directive must match the domain name for which a certificate is requested. To update the default configuration file of Nginx when you’re starting, you can use vi or your favorite text editor:

sudo vi /etc/nginx/nginx.conf

Find the server name using the command.

server_name _;

Next, replace the underscore with the registered domain name.

server_name example.com www.example.com;

Close the text editor and save the file. While using vi text editor enter :x, then y when prompted to save and quit.

Save the file and quit your editor. If you are using vi, enter :x, then y when prompted, to save and quit. Make sure your configuration edits follow the following syntax:

sudo nginx –t

Reload Nginx to load new configurations if the above command runs without error. Use the

sudo systemctl reload nginx

Now, we will be updating the firewall to allow HTTPS traffic on the website.

Updating the Firewall

Before enabling the firewall, ensure HTTPS ports 80 and 443 are open to accept website traffic. Execute the following command to open these ports.

sudo firewall-cmd --add-service=http sudo firewall-cmd --add-service=https sudo firewall-cmd --runtime-to-permanent

If you are using an iptables firewall, the commands you need to run depend on your current rule set. Adding HTTP and HTTPS access to an initial rule set is as simple as typing:

sudo iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT sudo iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT

It’s time to run Certbot and fetch our certificates.

Obtaining a Certificate

With plugins, there are various ways in which Certbot provides SSL certificates. The Nginx plugin will look after the reconfiguration of the SSL part when required. Use the following command for reconfiguration.

sudo certbot --nginx -d example.com -d www.example.com

Using -d, we specify the names for which we wish to validate the certificate using certbot with the –nginx plugin.

Upon running certbot for the first time, you will be asked to enter an email address and agree to the terms of service. Certbot will then communicate with Let’s Encrypt, then run a challenge to verify that you are the owner of the domain. To pick up the new settings, Nginx will reload with the updated configuration. A message will appear once certbot has completed the process, telling you where your certificates are located:

Output

IMPORTANT NOTES:

 – Congratulations! Your certificate and chain have been saved at:

/etc/letsencrypt/live/your_domain/fullchain.pem

   Your key file has been saved at:

/etc/letsencrypt/live/your_domain/privkey.pem

   Your certificate will expire on 2022-10-20. To obtain a new or

   tweaked version of this certificate in the future, simply run

   certbot again with the “certonly” option. To non-interactively

   renew *all* of your certificates, run “certbot renew”

 – If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let’s Encrypt: 

https://letsencrypt.org/donate

   Donating to EFF:                    https://eff.org/donate-le

Cross-check the SSL indicator in the search bar. The domain must have it which assures domain security.

Set Up Auto Renewal

The Let’s Encrypt certificates are validated only for ninety days. We would recommend you set up an auto-renewal process with the following command.

sudo crontab –e

The default crontab file will be opened in your text editor. The following line should be pasted in, then saved and closed:

Crontab

. . .

15 3 * /usr/bin/certbot renew –quiet

It means that the following command should be run every day at 3:15 am. It is up to you when you choose.

With the renew command for Certbot, all certificates installed on the system will be checked and updated if they expire within thirty days. The –quiet option instructs Certbot not to output information or wait for user input.

Cron will now run this command every day. In the event that a certificate expires in less than thirty days, it will be automatically renewed and reloaded.