Install client and use it on a CentOS/RHEL 7 to get an SSL certificate from Let’s Encrypt.

Step 1 – Install the required software 

Install the git, wget, curl and bc packages with the yum command:

$ sudo yum install git bc wget curl

Step 2 – Install Let’s Encrypt client

Clone the repo:

$ cd /tmp/
$ git clone

Install client on to your system, run:

$ cd
$ sudo -i
# ./ --install

After install, you must close current terminal and reopen again to make the alias take effect. Or simply type the following source command:

$ sudo source ~/.bashrc

Step 3 – Create acme-challenge directory

Type the following mkdir command. Make sure you set D to actual DocumentRoot path as per your needs:

# D=/usr/share/nginx/html
# mkdir -vp ${D}/.well-known/acme-challenge/
###---[ NOTE: Adjust permission as per your setup ]---###
# chown -R nginx:nginx ${D}/.well-known/acme-challenge/
# chmod -R 0555 ${D}/.well-known/acme-challenge/


Also create directory to store SSL certificate:

# mkdir -p /etc/nginx/ssl/

Step 4 – Create dhparams.pem file

Run openssl command:

# cd /etc/nginx/ssl/
# openssl dhparam -out dhparams.pem -dsaparam 4096


Step 5 – Obtain a certificate for domain


Issue a certificate for your domain: --issue -w /path/to/www/htmlRoot/ -d -k 2048
sudo --issue -w /usr/local/nginx/html -d -k 2048


Step 6 – Configure Nginx 


You just successfully requested an SSL Certificate from Let’s Encrypt for your CentOS 7 or RHEL 7 server. It is time to configure it. Edit default.ssl.conf:

$ sudo vi /etc/nginx/conf.d/default.ssl.conf


Append the following config:

server {
#------- Start SSL config with http2 support ----#
listen http2;
ssl on;
ssl_certificate /etc/nginx/ssl/;
ssl_certificate_key /etc/nginx/ssl/;
ssl_session_timeout 30m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:10m;
ssl_dhparam /etc/nginx/ssl/;
ssl_prefer_server_ciphers on;

## Improves TTFB by using a smaller SSL buffer than the nginx default
ssl_buffer_size 8k;

## Enables OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;

## Send header to tell the browser to prefer https to http traffic
add_header Strict-Transport-Security max-age=31536000;

## SSL logs ##
access_log /var/log/nginx/ssl_access.log;
error_log /var/log/nginx/ssl_error.log;
#-------- END SSL config -------##
# Add rest of your config below like document root, php and more ##
location / {
root /usr/share/nginx/html;
index index.html index.htm;
# Allow php apps
location ~ \.php$ {
root /usr/share/nginx/html;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
## END SSL ######


Save and close the file in vi/vim text editor.


Step 7 – Install certificate 


Install the issued cert to nginx server:

# --installcert -d \
--keypath /etc/nginx/ssl/ \
--fullchainpath /etc/nginx/ssl/ \
--reloadcmd 'systemctl reload nginx'


Make sure port os open with the ss command or netstat command:


# ss -tulpn


Step 7 – Firewall configuration

You need to open port 443 (HTTPS) on your server so that clients can connect it. Update the rules as follows:

$ sudo firewall-cmd --add-service=https
$ sudo firewall-cmd --runtime-to-permanent


Step 8 – Test it


 Fire a web browser and type your domain such as:


Test it with SSLlabs test site:

RHEL CentOS 7 Nginx SSL Labs A+ Test result for Nginx with Lets Encrypt Certificate


Step 9 – commands


List all certificates:

# --list


Renew a cert for domain named

# --renew -d


Please note that a cron job will try to do renewal a certificate for you too. This is installed by default as follows (no action required on your part). To see job run:

# crontab -l


Was this answer helpful? 0 Users Found This Useful (0 Votes)