• Privacy Policy
  • Disclaimer
  • Contact Us
  • About Us
MAS Al Ahrom Karangsari
  • Home
  • Visi and Misi Madrasah
  • Madrasah Announcements
  • Menu Madrasah
    • GTK MA AL Ahrom Karangsari
    • RDM Madrasah
    • Madrasah News
    • Graduation
    • Structure Organization Madrasah
      • Organizational Structure of the Committee
      • Organizational Structure of Madrasah System
      • Library Organizational Structure
      • Organizational Structure of Computer Laboratories
    • Lessons
    • Learning
      • Madrasah Paramita
      • Madrassah Journal
      • Scientific Papers of Students
      • Learning Articles
    • Facilities and Infrastructure
  • Citizen Madrasah
    • Register
    • Login
    • Password Reset
    • Members
  • ID
No Result
View All Result
MA Al Ahrom Karangsari
No Result
View All Result

Home > Learn Computer and Network > How to Secure HTTPS Web Server Nginx With Let’s Encrypt on CentOS 7

How to Secure HTTPS Web Server Nginx With Let’s Encrypt on CentOS 7

Admin MAS Al Ahrom by Operator
August 17, 2023
in Learn Computer and Network

Let’s Encrypt is an open and free certificate authority developed by the Internet Security Research Group (ISRG). The certificate issued by Let’s Encrypt is trusted by almost all browsers today. In this tutorial, we will provide step-by-step instructions on how to secure your Nginx with Let’s Encrypt using the certbot tool on CentOS 7.

letx encrypt centos 7 nginx web server

Precondition

Make sure you have fulfilled the following prerequisites before continuing with this tutorial:

1. You have a domain name that points to your public IP server. In this tutorial we will use the example.com domain.
2. Have activated the EPEL repository and Nginx that have been installed by following the tutorial How to Install Nginx on CentOS 7.

Install Certbot Certbot is a full-featured and easy-to-use tool that can automate the task of getting and renewing the Let’s Encrypt SSL certificate. Certbot will also manage all web server configurations so you can use certificates directly. To install the certbot package from the EPEL repository run the following command:

sudo yum install certbot

 

Creating a Key Exchange Dh (Diffie-Hellman) Certificate Diffie – Hellman key exchange (DH) is a safe cryptographic key exchange method on insecure communication channels. We will generate a new DH parameter set of 2048 bits to strengthen security:

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

 

If it’s still paranoid, you can resize up to 4096 bits, but in this case, the creation can take more than 30 minutes depending on your system’s processing capability. Obtain the SSL certificate Let’s Encrypt To obtain an SSL certificate for a domain, we will use the Webroot plugin that works by creating a temporary file to validate the domain requested in the directory:

${webroot-path}/.well-known/acme-challenge

 

The Let’s Encrypt server makes an HTTP request to a temporary file to validate that the requested domain completes the data request to the server where the certbot is running. To make it simpler, we will map all HTTP requests for .well-known / acme-challenge to one directory, / var / lib / letsencrypt The following command will create a directory and make it writable by the Nginx server.

sudo mkdir -p /var/lib/letsencrypt/.well-known
sudo chgrp nginx /var/lib/letsencrypt
sudo chmod g+s /var/lib/letsencrypt

 

To avoid code duplication, create the following two snippets that we will include in all Nginx block file servers. Open your text editor and create the letsencrypt.conf snippet:

sudo mkdir /etc/nginx/snippets
location ^~ /.well-known/acme-challenge/ {
    allow all;
    allow all;
    root /var/lib/letsencrypt/;
    default_type “text/plain”;
    try_files $uri = 404;
}

 

Create a ssl.conf snippet that includes a chipper recommended by Mozilla, enables OCSP Stapling, HTTP Strict Transport Security (HSTS) and enforces several HTTP headers focused on security.

sudo nano /etc/nginx/snippets/ssl.conf
ssl_dhparam /etc/ssl/certs/dhparam.pem;
sudo chmod g+s /var/lib/letsencrypt

 

ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;

 

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ‘ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS’;
ssl_prefer_server_ciphers on;

 

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 30s;

 

add_header Strict-Transport-Security “max-age=15768000; includeSubdomains; preload”;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;

 

After the snippets are created, open the domain block server and include the letsencrypt.conf snippet as shown below:

/etc/nginx/conf.d/example.com.conf
server {
    listen 80;
    server_name example.com www.example.com;
    server_name example.com www.example.com;
    include snippets/letsencrypt.conf;
}

 

Restart the Nginx service so that the changes will effected:

sudo systemctl reload nginx

 

You can now run Certbot with the webroot plugin and get an SSL certificate file by typing the command:

sudo certbot certonly –agree-tos –email [email protected] –webroot -w /var/lib/letsencrypt/ -d example.com -d www.example.com

 

If the SSL certificate is successfully obtained, certbot will print the following message:

IMPORTANT NOTES:
 – Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2018-06-11. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   “certbot renew”
 – If you like Certbot, please consider supporting our work by:

 

   Donating to ISRG / Let’s Encrypt:         https://letsencrypt.org/donate
   Donating to EFF:                                       https://eff.org/donate-le

 

Now that you have a certificate file, you can edit your domain block server as follows:

server {
    listen 80;
    server_name www.example.com example.com;
    include snippets/letsencrypt.conf;
    return 301 https://$host$request_uri;
}

 

server {
    listen 443 ssl http2;
    server_name www.example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
    include snippets/ssl.conf;
    include snippets/letsencrypt.conf;

    return 301 https://example.com$request_url;
}

 

server {
    listen 443 ssl http2;
    server_name www.example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
    include snippets/ssl.conf;
    include snippets/letsencrypt.conf;

    # . . . other code
}

 

With the above configuration we force using HTTPS and switch from the www version to the non www version. Restart the Nginx service so that the changes take effect:

sudo systemctl reload nginx

 

How to Auto-renew SSL Certificate Let’s Encrypt The Let’s Encrypt’s certificate is valid for 90 days. To automatically renew certificates before they expire, the certbot package creates a cronjob that runs twice a day and will automatically renew any certificate within 30 days before the certificate expires. Run the crontab command to create a new cronjob:

sudo crontab -e

 

Copy and paste the following lines to editor:

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e ‘sleep int(rand(3600))’ && certbot -q renew –renew-hook “systemctl reload nginx”

 

Save and close the file. In a way 1. ESC will then appear: below the left of the screen 2. then type wq 3. press Enter on the keyboard To test the update process, you can use the certbot command followed by the –dry-run statement:

sudo certbot renew –dry-run

 

If there are no errors, it means that the test update process was successful. Hope it is useful for you guys. Thank you.

Related Article

Minimum Specifications To Install Windows 10

Minimum Specifications To Install Windows 10

December 6, 2021
Beberapa Cara Memperbaiki Error Windows yang Tiba-Tiba Muncul di Laptop

Few Steps to Fix Windows Errors on Laptop or Computer

December 6, 2021
Cara Mendapatkan Free Google Cloud Akses Dengan Jenius Card

How to Get Free Google Cloud Access For 12 Months

June 11, 2022
Cara Instal CentOS Web Panel pada Google Cloud Compute Engine CentOS 7

How to Install CentOS Web Panel on Google Cloud Compute Engine CentOS 7

December 8, 2024
Previous Post

How to Get Free Google Cloud Access For 12 Months

Next Post

How to Install CentOS Web Panel on Google Cloud Compute Engine CentOS 7

Latest Posts

Cara Instal CentOS Web Panel pada Google Cloud Compute Engine CentOS 7

How to Install CentOS Web Panel on Google Cloud Compute Engine CentOS 7

by Operator
December 8, 2024
2

According to the centos-webpanel.com site, CentOS Web Panel (CWP) is a FREE Web Hosting Control Panel designed to be able...

Cara Mendapatkan Free Google Cloud Akses Dengan Jenius Card

How to Get Free Google Cloud Access For 12 Months

by Operator
June 11, 2022
0

Google has a promo for its product, Google Cloud Platform, which itself offers a free credit of $300 or approximately...

How to Install Windows 10

How to Install Windows 10 [Pictures and Explanations]

by Operator
December 6, 2021
0

In this tutorial, we will tell you how to install windows 10 on a laptop or on a computer. For...

Minimum Specifications To Install Windows 10

Minimum Specifications To Install Windows 10

by Operator
December 6, 2021
0

If you want to upgrade or install Windows 10 on your PC, you must first know the minimum specifications required...

Beberapa Cara Memperbaiki Error Windows yang Tiba-Tiba Muncul di Laptop

Few Steps to Fix Windows Errors on Laptop or Computer

by Operator
December 6, 2021
0

Windows is the most popular Microsoft-made operating system in the world. But unfortunately, in the experience of Windows users are...

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

I agree to the Terms & Conditions and Disclaimer.

Popular Article

Basic Entrepreneurship in Textile Crafts
Craft Education

Basic Entrepreneurship in Textile Crafts

by Fatkul Mansyah
January 8, 2022
0

Entrepreneurship in Textile Crafts 1. Basic entrepreneurship in textile crafts Entrepreneurship comes from the word entrepreneurial and business....

Cara Install Let’s Encrypt HTTPS di Web Server Nginx Berbasis CentOS 7

How to Secure HTTPS Web Server Nginx With Let’s Encrypt on CentOS 7

by Operator
August 17, 2023
0

Let’s Encrypt is an open and free certificate authority...

Batik Arts, Indonesia's National Cultural Identity

Batik Arts, Indonesia’s National Cultural Identity

by Operator
September 19, 2023
0

Starting from the first President of the Republic of...

peenjernihan air

Efforts to Clear Dirty Water Into Ready-to-Consume Water In a Simple Way

by Operator
October 14, 2024
0

SCIENTIFIC PAPERS CHAPTER I Introduction A. Early Research Water is...

No Result
View All Result

Categories

Intellectual Property Rights, Definition and Types

Sewing Supporting Equipment and Accessories

Basic Entrepreneurship in Textile Crafts

Dragon Fruit Farming Success

Are you confused about Counting Data in Excel? Let’s Get To Know A Simple Formula In Excel!

Load More

MA AL Ahrom Karangsari

Our Madrasah was established in 2009, is located on Jalan Nangka No. 45 Karangsari, Karangtengah, Demak.

logo footer ma al ahrom

Our Madrasah

  • Privacy Policy
  • Disclaimer
  • Contact Us
  • About Us

MA AL AHROM’s Social Media

Let's follow every activity of MA AL Ahrom Karangsari on our social media.

© 2021 MA Al Ahrom Karangsari – Design by MA Al Ahrom.

  • ID
No Result
View All Result
  • Home
  • Visi and Misi Madrasah
  • Madrasah Announcements
  • Menu Madrasah
    • GTK MA AL Ahrom Karangsari
    • RDM Madrasah
    • Madrasah News
    • Graduation
    • Structure Organization Madrasah
      • Organizational Structure of the Committee
      • Organizational Structure of Madrasah System
      • Library Organizational Structure
      • Organizational Structure of Computer Laboratories
    • Lessons
    • Learning
      • Madrasah Paramita
      • Madrassah Journal
      • Scientific Papers of Students
      • Learning Articles
    • Facilities and Infrastructure
  • Citizen Madrasah
    • Register
    • Login
    • Password Reset
    • Members

© 2021 MA Al Ahrom Karangsari - Design by MA Al Ahrom.