Blog

03/06/2019

How to configure Nginx with Let’s Encrypt on CentOS 7



How do I secure my Nginx web server with Let’s Encrypt free ssl certificate on my CentOS 7 or RHEL 7 server? How to configure Nginx with Let’s Encrypt on CentOS 7?

Let’s Encrypt is a free, automated, and open certificate authority for your website or any other projects. This page shows how to use Let’s Encrypt to install a free SSL certificate for Nginx web server. You will learn how to properly deploy Diffie-Hellman on your server to get SSL labs A+ score on a CentOS/RHEL 7.

How to secure Nginx with Let’s Encrypt on CentOS 7

Our sample setup is as follows:

How to secure Nginx with Let’s Encrypt on CentOS 7

kbd { display: inline-block; margin: 0 .1em; padding: .1em .6em; font-family: Arial,”Helvetica Neue”,Helvetica,sans-serif; font-size: 11px; line-height: 1.4; color: #242729; text-shadow: 0 1px 0 #FFF; background-color: #e1e3e5; border: 1px solid #adb3b9; border-radius: 3px; box-shadow: 0 1px 0 rgba(12,13,14,0.2), 0 0 0 2px #FFF inset; white-space: nowrap;}

The procedure is as follows to obtaining an SSL certificate:

  1. Get acme.sh software:
    git clone https://github.com/Neilpang/acme.sh.git
  2. Create /.well-known/acme-challenge/ directory:
    mkdir -p /var/www/html/.well-known/acme-challenge/
  3. Obtaining an SSL certificate your domain:
    acme.sh --issue -w /DocumentRootPath/ -d your-domain
  4. Configure TLS/SSL on Nginx:
    vi /etc/nginx/sites-available/default
  5. Setup cron job setup for auto renewal
  6. Open port 443 (HTTPS):
    sudo firewall-cmd --add-service=https

Let us see how to install acme.sh client and use it on a CentOS/RHEL 7 to get an SSL certificate from Let’s Encrypt.

Step 1 – Install the required software

Install the git, wget, curl and bc packages with the yum command:
$ sudo yum install git bc wget curl

Step 2 – Install acme.sh Let’s Encrypt client

Clone the repo:
$ cd /tmp/
$ git clone https://github.com/Neilpang/acme.sh.git


Install acme.sh client on to your system, run:
$ cd acme.sh/
$ sudo -i
# ./acme.sh --install


After install, you must close current terminal and reopen again to make the alias take effect. Or simply type the following source command:
$ sudo source ~/.bashrc

Step 3 – Create acme-challenge directory

Type the following mkdir command. Make sure you set D to actual DocumentRoot path as per your needs:
# D=/usr/share/nginx/html
# mkdir -vp ${D}/.well-known/acme-challenge/
###---[ NOTE: Adjust permission as per your setup ]---###
# chown -R nginx:nginx ${D}/.well-known/acme-challenge/
# chmod -R 0555 ${D}/.well-known/acme-challenge/

Also create directory to store SSL certificate:
# mkdir -p /etc/nginx/ssl/sxi.io/

Step 4 – Create dhparams.pem file

Run openssl command:
# cd /etc/nginx/ssl/sxi.io/
# openssl dhparam -out dhparams.pem -dsaparam 4096

Step 5 – Obtain a certificate for domain

Issue a certificate for your domain:
acme.sh --issue -w /path/to/www/htmlRoot/ -d example.com -k 2048
sudo acme.sh --issue -w /usr/local/nginx/html -d server2.sxi.io -k 2048

Step 6 – Configure Nginx

You just successfully requested an SSL Certificate from Let’s Encrypt for your CentOS 7 or RHEL 7 server. It is time to configure it. Edit default.ssl.conf:
$ sudo vi /etc/nginx/conf.d/default.ssl.conf
Append the following config:

## START: SSL/HTTPS server2.sxi.io ###
server {
    #------- Start SSL config with http2 support ----#
    listen 10.21.136.134:443 http2;
    server_name server2.sxi.io;
    ssl on;
    ssl_certificate /etc/nginx/ssl/sxi.io/server2.sxi.io.cer;
    ssl_certificate_key /etc/nginx/ssl/sxi.io/server2.sxi.io.key;
    ssl_session_timeout 30m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
    ssl_session_cache shared:SSL:10m;
    ssl_dhparam /etc/nginx/ssl/sxi.io/dhparams.pem;
    ssl_prefer_server_ciphers on;
 
    ## Improves TTFB by using a smaller SSL buffer than the nginx default
    ssl_buffer_size 8k;
 
    ## Enables OCSP stapling
    ssl_stapling on;
    resolver 8.8.8.8;
    ssl_stapling_verify on;
 
    ## Send header to tell the browser to prefer https to http traffic
    add_header Strict-Transport-Security max-age=31536000;
 
    ## SSL logs ##
    access_log /var/log/nginx/ssl_access.log;
    error_log /var/log/nginx/ssl_error.log;
    #-------- END SSL config -------##
    # Add rest of your config below like document root, php and more ##
    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }
    # Allow php apps
    location ~ .php$ {
        root /usr/share/nginx/html;
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index  index.php;
        include        fastcgi_params;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
    }
}
## END SSL server2.sxi.io ######

## START: SSL/HTTPS server2.sxi.io ### server { #——- Start SSL config with http2 support —-# listen 10.21.136.134:443 http2; server_name server2.sxi.io; ssl on; ssl_certificate /etc/nginx/ssl/sxi.io/server2.sxi.io.cer; ssl_certificate_key /etc/nginx/ssl/sxi.io/server2.sxi.io.key; ssl_session_timeout 30m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS; ssl_session_cache shared:SSL:10m; ssl_dhparam /etc/nginx/ssl/sxi.io/dhparams.pem; ssl_prefer_server_ciphers on; ## Improves TTFB by using a smaller SSL buffer than the nginx default ssl_buffer_size 8k; ## Enables OCSP stapling ssl_stapling on; resolver 8.8.8.8; ssl_stapling_verify on; ## Send header to tell the browser to prefer https to http traffic add_header Strict-Transport-Security max-age=31536000; ## SSL logs ## access_log /var/log/nginx/ssl_access.log; error_log /var/log/nginx/ssl_error.log; #——– END SSL config ——-## # Add rest of your config below like document root, php and more ## location / { root /usr/share/nginx/html; index index.html index.htm; } # Allow php apps location ~ .php$ { root /usr/share/nginx/html; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } } ## END SSL server2.sxi.io ######

Save and close the file in vi/vim text editor.

Step 7 – Install certificate

Install the issued cert to nginx server:
# acme.sh --installcert -d server2.sxi.io
--keypath /etc/nginx/ssl/sxi.io/server2.sxi.io.key
--fullchainpath /etc/nginx/ssl/sxi.io/server2.sxi.io.cer
--reloadcmd 'systemctl reload nginx'


Make sure port os open with the ss command or netstat command:
# ss -tulpn

Step 7 – Firewall configuration

You need to open port 443 (HTTPS) on your server so that clients can connect it. Update the rules as follows:
$ sudo firewall-cmd --add-service=https
$ sudo firewall-cmd --runtime-to-permanent

Step 8 – Test it

Fire a web browser and type your domain such as:
https://server2.sxi.io
Test it with SSLlabs test site:
https://www.ssllabs.com/ssltest/analyze.html?d=server2.sxi.io

Step 9 – acme.sh commands

List all certificates:
# acme.sh --list
Renew a cert for domain named server2.sxi.io
# acme.sh --renew -d server2.sxi.io
Please note that a cron job will try to do renewal a certificate for you too. This is installed by default as follows (no action required on your part). To see job run:
# crontab -l
Sample outputs:

8 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

Upgrade acme.sh client:
# acme.sh --upgrade
Getting help:
# acme.sh --help | more

This entry is 3 of 3 in the Linux, Nginx, MySQL, PHP (LEMP) Stack for CentOS/RHEL 7 Tutorial series. Keep reading the rest of the series:
  1. How to install and use Nginx on CentOS 7 / RHEL 7
  2. How to install PHP 7.2 on CentOS 7/RHEL 7
  3. How to configure Nginx with Let’s Encrypt on CentOS 7

This entry is 4 of 5 in the Secure Web Server with Let’s Encrypt Tutorial series. Keep reading the rest of the series:
  1. How to configure Nginx with Let’s Encrypt on Debian/Ubuntu Linux
  2. How to secure Lighttpd with Let’s Encrypt certificate on Debian/Ubuntu
  3. How to secure Nginx with Let’s Encrypt certificate on Alpine Linux
  4. How to configure Nginx with Let’s Encrypt on CentOS 7
  5. <a href='https://sxi.io/how-to-secure-apache-with-lets-encrypt-certificates-on-rhel-8/' title='Secure Apache with Let’ s encrypt certificates on RHEL 8‘>Secure Apache with Let’s Encrypt Certificates on RHEL 8

(adsbygoogle = window.adsbygoogle || []).push({});

Posted by: SXI ADMIN

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

14/08/2019

How to KVM, QEMU start or stop virtual machine from command line (CLI)

KVM or Kernel Based Virtual Machine is a popular virtualization technology. It allows you to run virtual guest machines over a host machine. To start...
14/08/2019

How to Docker backup Saving and restoring your volumes

Running a Docker volume backup First, we spin up a temporary container, and we mount the backup folder and the target Docker volume to this container....
12/08/2019

How to Start and Enable Firewalld on CentOS 7

In this article, we discuss how to start and enable firewalld. It is highly recommended that you have a firewall protecting your server.Pre-Flight CheckThese...