how to install lets encrypt in nginx

How To Install Let’s Encrypt on NGINX

Let’s Encrypt offers free SSL certificates that you can easily install on your NGINX server and renew periodically. In this article, we will look at how to install Let’s Encrypt on NGINX in CentOS. You can use it to secure NGINX with Let’s Encrypt.


How To Install Let’s Encrypt on NGINX

Here are the steps to install Let’s Encrypt on NGINX.


1. Add Repository

First we need to add pre-requisite repository for Let’s Encrypt client. Open terminal and run the following commands.

$ sudo yum install epel-release 
$ sudo yum update

Also read : Rewrite vs Redirect in NGINX


2. Install Let’s Encrypt client

Run the following command to install Let’s Encrypt client.

$ sudo yum install certbot python2-certbot-nginx

Also read : How to Create Custom 404 Page in NGINX


3. Enable HTTPS in firewall

By default, HTTP port 80 and HTTPS port 443 are blocked in CentOS. Run the following command to open it to allow HTTP and HTTPS traffic.

$ sudo firewall-cmd --permanent --add-service=http --add-service=https

Reload firewall to apply changes

$ sudo firewall-cmd --reload

Also Read : How to Limit Download Speed in NGINX


4. Obtain Let’s Encrypt Certificate

Run the following command to obtain Let’s Encrypt certificate for NGINX. Replace www.example.com with your domain name.

$ sudo certbot --nginx -d www.example.com

If you want to use same certificate for multiple domains or different variations of domains add them in the above command using -d option.

Here’s an example to obtain Let’s Encrypt certificate for www.example.com as well as example.com

$ sudo certbot --nginx -d www.example.com -d example.com

Let’s Encrypt will validate your domain using a public key and start an interactive configuration that requires you to enter administrator email address and accept their terms and agreement.

It will further ask you if you want to redirect HTTP to HTTPS or not.

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. 
------------------------------------------------------------------------------- 
1: No redirect - Make no further changes to the webserver configuration. 
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. 
------------------------------------------------------------------------------- 
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

After you enter your choice, NGINX will restart and Let’s Encrypt will show you message saying installation was successful, and also provide the file locations of your certificates. Here is an example,

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at: 
/etc/letsencrypt/live/example.com/fullchain.pem 
 Your key file has been saved at: /etc/letsencrypt/live/example.com/privkey.pem
 Your cert will expire on 2018-07-23. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le

Also Read : How to Enable GZIP Compression in NGINX


5. Verify Installation

Reload your website using https:// protocol and use third party tools like SSL Labs Server Test to verify SSL certificate.

Also read : How to Enable Browser Caching in NGINX


6. Verify Auto Renewal

Let’s Encrypt certificates have a short duration of 90 days, after which you need to renew certificates. The certbot package that we installed automatically installs a cron job that runs twice a day and automatically renews any certificate within 30 days of expiry.

You can test the renewal process with the following command

$ sudo certbot renew --dry-run

If you see no errors, you are all set. Hopefully, this article will help you install Let’s Encrypt SSL certificate in CentOS.

Ubiq makes it easy to visualize data in minutes, and monitor in real-time dashboards. Try it Today!

mm

About Ubiq

Ubiq is a powerful dashboard & reporting platform for small & medium businesses. Build dashboards, charts & reports for your business in minutes. Get insights from data quickly. Try it for free today!