Last updated on September 12th, 2022 at 09:20 am
Let’s Encrypt offers free SSL certificates that you can easily install on your NGINX server and renew periodically. In this article, we will look at how to install Let’s Encrypt on NGINX in CentOS. You can use it to secure NGINX with Let’s Encrypt.
How To Install Let’s Encrypt on NGINX
Here are the steps to install Let’s Encrypt on NGINX.
1. Add Repository
First we need to add pre-requisite repository for Let’s Encrypt client. Open terminal and run the following commands.
$ sudo yum install epel-release $ sudo yum update
Also read : Rewrite vs Redirect in NGINX
2. Install Let’s Encrypt client
Run the following command to install Let’s Encrypt client.
$ sudo yum install certbot python2-certbot-nginx
Also read : How to Create Custom 404 Page in NGINX
3. Enable HTTPS in firewall
By default, HTTP port 80 and HTTPS port 443 are blocked in CentOS. Run the following command to open it to allow HTTP and HTTPS traffic.
$ sudo firewall-cmd --permanent --add-service=http --add-service=https
Reload firewall to apply changes
$ sudo firewall-cmd --reload
Also Read : How to Limit Download Speed in NGINX
4. Obtain Let’s Encrypt Certificate
Run the following command to obtain Let’s Encrypt certificate for NGINX. Replace www.example.com with your domain name.
$ sudo certbot --nginx -d www.example.com
If you want to use same certificate for multiple domains or different variations of domains add them in the above command using -d option.
Here’s an example to obtain Let’s Encrypt certificate for www.example.com as well as example.com
$ sudo certbot --nginx -d www.example.com -d example.com
Let’s Encrypt will validate your domain using a public key and start an interactive configuration that requires you to enter administrator email address and accept their terms and agreement.
It will further ask you if you want to redirect HTTP to HTTPS or not.
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
After you enter your choice, NGINX will restart and Let’s Encrypt will show you message saying installation was successful, and also provide the file locations of your certificates. Here is an example,
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at: /etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2018-07-23. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Also Read : How to Enable GZIP Compression in NGINX
5. Verify Installation
Reload your website using https:// protocol and use third party tools like SSL Labs Server Test to verify SSL certificate.
Also read : How to Enable Browser Caching in NGINX
6. Verify Auto Renewal
Let’s Encrypt certificates have a short duration of 90 days, after which you need to renew certificates. The certbot package that we installed automatically installs a cron job that runs twice a day and automatically renews any certificate within 30 days of expiry.
You can test the renewal process with the following command
$ sudo certbot renew --dry-run
If you see no errors, you are all set. Hopefully, this article will help you install Let’s Encrypt SSL certificate in CentOS.
Ubiq makes it easy to visualize data in minutes, and monitor in real-time dashboards. Try it Today!
Sreeram Sreenivasan is the Founder of Ubiq. He has helped many Fortune 500 companies in the areas of BI & software development.