https://www.cyberciti.biz/faq/how-to-secure-nginx-lets-encrypt-on-centos-7
How do I secure my Nginx web server with Let’s Encrypt free ssl certificate on my CentOS 7 or RHEL 7 server? How to configure Nginx with Let’s Encrypt on CentOS 7?
Let’s Encrypt is a free, automated, and open certificate authority for your website or any other projects. This page shows how to use Let’s Encrypt to install a free SSL certificate for Nginx web server. You will learn how to properly deploy Diffie-Hellman on your server to get SSL labs A+ score on a CentOS/RHEL 7.
![How to secure configure Nginx with Let's Encrypt on CentOS RHEL 7]()
![clone acme.sh git]()
Install acme.sh client on to your system, run:
![install acme.sh client on centos 7 or rhel 7]()
After install, you must close current terminal and reopen again to make the alias take effect. Or simply type the following source command:
Also create directory to store SSL certificate:
![CentOS Obtain Let's Encrypt certificate for domain]()
Append the following config:
Save and close the file in vi/vim text editor.
![install let us encrupt certifcate in rhel 7]()
Make sure port os open with the ss command or netstat command:
Test it with SSLlabs test site:
![RHEL CentOS 7 Nginx SSL Labs A+ Test result for Nginx with Lets Encrypt Certificate]()
Renew a cert for domain named server2.cyberciti.biz
Please note that a cron job will try to do renewal a certificate for you too. This is installed by default as follows (no action required on your part). To see job run:
Sample outputs:
Getting help:
How do I secure my Nginx web server with Let’s Encrypt free ssl certificate on my CentOS 7 or RHEL 7 server? How to configure Nginx with Let’s Encrypt on CentOS 7?
Let’s Encrypt is a free, automated, and open certificate authority for your website or any other projects. This page shows how to use Let’s Encrypt to install a free SSL certificate for Nginx web server. You will learn how to properly deploy Diffie-Hellman on your server to get SSL labs A+ score on a CentOS/RHEL 7.
How to secure Nginx with Let’s Encrypt on CentOS 7
Our sample setup is as follows:
How to secure Nginx with Let’s Encrypt on CentOS 7
The procedure is as follows to obtaining an SSL certificate:- Get acme.sh software:
git clone https://github.com/Neilpang/acme.sh.git - Create /.well-known/acme-challenge/ directory:
mkdir -p /var/www/html/.well-known/acme-challenge/ - Obtaining an SSL certificate your domain:
acme.sh --issue -w /DocumentRootPath/ -d your-domain - Configure TLS/SSL on Nginx:
vi /etc/nginx/sites-available/default - Setup cron job setup for auto renewal
- Open port 443 (HTTPS):
sudo firewall-cmd --add-service=https
Step 1 – Install the required software
Install the git, wget, curl and bc packages with the yum command:$ sudo yum install git bc wget curlStep 2 – Install acme.sh Let’s Encrypt client
Clone the repo:$ cd /tmp/
$ git clone https://github.com/Neilpang/acme.sh.git
Install acme.sh client on to your system, run:
$ cd acme.sh/
$ sudo -i
# ./acme.sh --install
After install, you must close current terminal and reopen again to make the alias take effect. Or simply type the following source command:
$ sudo source ~/.bashrcStep 3 – Create acme-challenge directory
Type the following mkdir command. Make sure you set D to actual DocumentRoot path as per your needs:# D=/usr/share/nginx/html
# mkdir -vp ${D}/.well-known/acme-challenge/
###---[ NOTE: Adjust permission as per your setup ]---###
# chown -R nginx:nginx ${D}/.well-known/acme-challenge/
# chmod -R 0555 ${D}/.well-known/acme-challenge/Also create directory to store SSL certificate:
# mkdir -p /etc/nginx/ssl/cyberciti.biz/Step 4 – Create dhparams.pem file
Run openssl command:# cd /etc/nginx/ssl/cyberciti.biz/
# openssl dhparam -out dhparams.pem -dsaparam 4096Step 5 – Obtain a certificate for domain
Issue a certificate for your domain:acme.sh --issue -w /path/to/www/htmlRoot/ -d example.com -k 2048
sudo acme.sh --issue -w /usr/local/nginx/html -d server2.cyberciti.biz -k 2048
Step 6 – Configure Nginx
You just successfully requested an SSL Certificate from Let’s Encrypt for your CentOS 7 or RHEL 7 server. It is time to configure it. Edit default.ssl.conf:$ sudo vi /etc/nginx/conf.d/default.ssl.confAppend the following config:
## START: SSL/HTTPS server2.cyberciti.biz ### |
Step 7 – Install certificate
Install the issued cert to nginx server:# acme.sh --installcert -d server2.cyberciti.biz \
--keypath /etc/nginx/ssl/cyberciti.biz/server2.cyberciti.biz.key \
--fullchainpath /etc/nginx/ssl/cyberciti.biz/server2.cyberciti.biz.cer \
--reloadcmd 'systemctl reload nginx'
Make sure port os open with the ss command or netstat command:
# ss -tulpnStep 7 – Firewall configuration
You need to open port 443 (HTTPS) on your server so that clients can connect it. Update the rules as follows:$ sudo firewall-cmd --add-service=https
$ sudo firewall-cmd --runtime-to-permanentStep 8 – Test it
Fire a web browser and type your domain such as:https://server2.cyberciti.bizTest it with SSLlabs test site:
https://www.ssllabs.com/ssltest/analyze.html?d=server2.cyberciti.biz
Step 9 – acme.sh commands
List all certificates:# acme.sh --listRenew a cert for domain named server2.cyberciti.biz
# acme.sh --renew -d server2.cyberciti.bizPlease note that a cron job will try to do renewal a certificate for you too. This is installed by default as follows (no action required on your part). To see job run:
# crontab -lSample outputs:
8 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"> /dev/nullUpgrade acme.sh client:
# acme.sh --upgrade Getting help:
# acme.sh --help | moreThis entry is 3 of 3 in the Linux, Nginx, MySQL, PHP (LEMP) Stack for CentOS/RHEL 7 Tutorial series. Keep reading the rest of the series:
- How to install and use Nginx on CentOS 7 / RHEL 7
- How to install PHP 7.2 on CentOS 7/RHEL 7
- How to configure Nginx with Let's Encrypt on CentOS 7
This entry is 4 of 4 in the Secure Web Server with Let's Encrypt Tutorial series. Keep reading the rest of the series:
- How to configure Nginx with Let's Encrypt on Debian/Ubuntu Linux
- How to secure Lighttpd with Let's Encrypt certificate on Debian/Ubuntu
- How to secure Nginx with Let's Encrypt certificate on Alpine Linux
- How to configure Nginx with Let's Encrypt on CentOS 7