How to configure Nginx with Let’s Encrypt on CentOS 7?

Install acme.sh client and use it on a CentOS/RHEL 7 to get an SSL certificate from Let’s Encrypt.

Step 1 – Install the required software 


Install the git, wget, curl and bc packages with the yum command:

$ sudo yum install git bc wget curl

Step 2 – Install acme.sh Let’s Encrypt client


Clone the repo:

$ cd /tmp/
$ git clone https://github.com/Neilpang/acme.sh.git


Install acme.sh client on to your system, run:

$ cd acme.sh/
$ sudo -i
# ./acme.sh --install


After install, you must close current terminal and reopen again to make the alias take effect. Or simply type the following source command:

$ sudo source ~/.bashrc

Step 3 – Create acme-challenge directory


Type the following mkdir command. Make sure you set D to actual DocumentRoot path as per your needs:

# D=/usr/share/nginx/html
# mkdir -vp ${D}/.well-known/acme-challenge/
###---[ NOTE: Adjust permission as per your setup ]---###
# chown -R nginx:nginx ${D}/.well-known/acme-challenge/
# chmod -R 0555 ${D}/.well-known/acme-challenge/

 

Also create directory to store SSL certificate:

# mkdir -p /etc/nginx/ssl/rootadminz.biz/

Step 4 – Create dhparams.pem file

Run openssl command:

# cd /etc/nginx/ssl/rootadminz.biz/
# openssl dhparam -out dhparams.pem -dsaparam 4096

 

Step 5 – Obtain a certificate for domain

 

Issue a certificate for your domain:

acme.sh --issue -w /path/to/www/htmlRoot/ -d example.com -k 2048
sudo acme.sh --issue -w /usr/local/nginx/html -d server2.rootadminz.biz -k 2048

 

Step 6 – Configure Nginx 

 

You just successfully requested an SSL Certificate from Let’s Encrypt for your CentOS 7 or RHEL 7 server. It is time to configure it. Edit default.ssl.conf:

$ sudo vi /etc/nginx/conf.d/default.ssl.conf

 

Append the following config:

## START: SSL/HTTPS server2.rootadminz.biz ###
server {
#------- Start SSL config with http2 support ----#
listen 10.21.136.134:443 http2;
server_name server2.rootadminz.biz;
ssl on;
ssl_certificate /etc/nginx/ssl/rootadminz.biz/server2.rootadminz.biz.cer;
ssl_certificate_key /etc/nginx/ssl/rootadminz.biz/server2.rootadminz.biz.key;
ssl_session_timeout 30m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
ssl_session_cache shared:SSL:10m;
ssl_dhparam /etc/nginx/ssl/rootadminz.biz/dhparams.pem;
ssl_prefer_server_ciphers on;

## Improves TTFB by using a smaller SSL buffer than the nginx default
ssl_buffer_size 8k;

## Enables OCSP stapling
ssl_stapling on;
resolver 8.8.8.8;
ssl_stapling_verify on;

## Send header to tell the browser to prefer https to http traffic
add_header Strict-Transport-Security max-age=31536000;

## SSL logs ##
access_log /var/log/nginx/ssl_access.log;
error_log /var/log/nginx/ssl_error.log;
#-------- END SSL config -------##
# Add rest of your config below like document root, php and more ##
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
# Allow php apps
location ~ \.php$ {
root /usr/share/nginx/html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
}
## END SSL server2.rootadminz.biz ######

 

Save and close the file in vi/vim text editor.

 


Step 7 – Install certificate 

 

Install the issued cert to nginx server:

# acme.sh --installcert -d server2.rootadminz.biz \
--keypath /etc/nginx/ssl/rootadminz.biz/server2.rootadminz.biz.key \
--fullchainpath /etc/nginx/ssl/rootadminz.biz/server2.rootadminz.biz.cer \
--reloadcmd 'systemctl reload nginx'

 

Make sure port os open with the ss command or netstat command:

 

# ss -tulpn

 

Step 7 – Firewall configuration

You need to open port 443 (HTTPS) on your server so that clients can connect it. Update the rules as follows:

$ sudo firewall-cmd --add-service=https
$ sudo firewall-cmd --runtime-to-permanent

 

Step 8 – Test it

 

 Fire a web browser and type your domain such as:

https://server2.ucartz.com

 

Test it with SSLlabs test site:

https://www.ssllabs.com/ssltest/analyze.html?d=server2.rootadminz.biz

RHEL CentOS 7 Nginx SSL Labs A+ Test result for Nginx with Lets Encrypt Certificate

 

Step 9 – acme.sh commands

 

List all certificates:

# acme.sh --list

 

Renew a cert for domain named server2.rootadminz.biz

# acme.sh --renew -d server2.rootadminz.biz

 

Please note that a cron job will try to do renewal a certificate for you too. This is installed by default as follows (no action required on your part). To see job run:

# crontab -l

 

Was this answer helpful? 0 Users Found This Useful (0 Votes)