Let’s Encrypt is an open and free certificate authority developed by the Internet Security Research Group (ISRG). The certificate issued by Let’s Encrypt is trusted by almost all browsers today. In this tutorial, we will provide step-by-step instructions on how to secure your Nginx with Let’s Encrypt using the certbot tool on CentOS 7.
Precondition
Make sure you have fulfilled the following prerequisites before continuing with this tutorial:
1. You have a domain name that points to your public IP server. In this tutorial we will use the example.com domain.
2. Have activated the EPEL repository and Nginx that have been installed by following the tutorial How to Install Nginx on CentOS 7.
Install Certbot Certbot is a full-featured and easy-to-use tool that can automate the task of getting and renewing the Let’s Encrypt SSL certificate. Certbot will also manage all web server configurations so you can use certificates directly. To install the certbot package from the EPEL repository run the following command:
Creating a Key Exchange Dh (Diffie-Hellman) Certificate Diffie – Hellman key exchange (DH) is a safe cryptographic key exchange method on insecure communication channels. We will generate a new DH parameter set of 2048 bits to strengthen security:
If it’s still paranoid, you can resize up to 4096 bits, but in this case, the creation can take more than 30 minutes depending on your system’s processing capability. Obtain the SSL certificate Let’s Encrypt To obtain an SSL certificate for a domain, we will use the Webroot plugin that works by creating a temporary file to validate the domain requested in the directory:
The Let’s Encrypt server makes an HTTP request to a temporary file to validate that the requested domain completes the data request to the server where the certbot is running. To make it simpler, we will map all HTTP requests for .well-known / acme-challenge to one directory, / var / lib / letsencrypt The following command will create a directory and make it writable by the Nginx server.
sudo chgrp nginx /var/lib/letsencrypt
sudo chmod g+s /var/lib/letsencrypt
To avoid code duplication, create the following two snippets that we will include in all Nginx block file servers. Open your text editor and create the letsencrypt.conf snippet:
location ^~ /.well-known/acme-challenge/ {
allow all;
allow all;
root /var/lib/letsencrypt/;
default_type “text/plain”;
try_files $uri = 404;
}
Create a ssl.conf snippet that includes a chipper recommended by Mozilla, enables OCSP Stapling, HTTP Strict Transport Security (HSTS) and enforces several HTTP headers focused on security.
ssl_dhparam /etc/ssl/certs/dhparam.pem;
sudo chmod g+s /var/lib/letsencrypt
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_ciphers ‘ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS’;
ssl_prefer_server_ciphers on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 30s;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
After the snippets are created, open the domain block server and include the letsencrypt.conf snippet as shown below:
server {
listen 80;
server_name example.com www.example.com;
server_name example.com www.example.com;
include snippets/letsencrypt.conf;
}
Restart the Nginx service so that the changes will effected:
You can now run Certbot with the webroot plugin and get an SSL certificate file by typing the command:
If the SSL certificate is successfully obtained, certbot will print the following message:
– Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2018-06-11. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
“certbot renew”
– If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Now that you have a certificate file, you can edit your domain block server as follows:
listen 80;
server_name www.example.com example.com;
include snippets/letsencrypt.conf;
return 301 https://$host$request_uri;
}
listen 443 ssl http2;
server_name www.example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
include snippets/ssl.conf;
include snippets/letsencrypt.conf;
return 301 https://example.com$request_url;
}
listen 443 ssl http2;
server_name www.example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
include snippets/ssl.conf;
include snippets/letsencrypt.conf;
# . . . other code
}
With the above configuration we force using HTTPS and switch from the www version to the non www version. Restart the Nginx service so that the changes take effect:
How to Auto-renew SSL Certificate Let’s Encrypt The Let’s Encrypt’s certificate is valid for 90 days. To automatically renew certificates before they expire, the certbot package creates a cronjob that runs twice a day and will automatically renew any certificate within 30 days before the certificate expires. Run the crontab command to create a new cronjob:
Copy and paste the following lines to editor:
Save and close the file. In a way 1. ESC will then appear: below the left of the screen 2. then type wq 3. press Enter on the keyboard To test the update process, you can use the certbot command followed by the –dry-run statement:
If there are no errors, it means that the test update process was successful. Hope it is useful for you guys. Thank you.
