[‘
Following the previously Let’s Encrypt series regarding Apache or Nginx web server with SSL/TLS module, this article we’ll guide you on how to generate and install a SSL/TLS certificate obtained for free from Let’s Encrypt Certificate Authority that we’ll be using to secure Nginx webserver HTTP transactions on CentOS/RHEL 7/6 and Fedora distribution.
n
If you’re looking to install Let’s Encrypt for Apache on RHEL/CentOS 7/6 and Fedora distributions, follow this guide below:
n
Setup Let’s Encrypt to Secure Apache on RHEL, CentOS and Fedora
n
Requirements
n
- n
- A registered domain name with valid A DNS records to point back to server public IP Address.
- Nginx web server installed with SSL enabled and Virtual Hosts enabled (only for multiple domains or subdomains hosting).
n
n
n
Our Testing Environment Setup
n
n
Step 1: Install Nginx Web Server
n
1. On the first step, in case you don’t have Nginx daemon already installed, issue the below commands with root privileges in order to install Nginx webserver from Epel repositories:
n
# yum install epel-releasern# yum install nginxrn
n
Step 2: Download or Clone Free Let’s Encrypt SSL Certificate
n
2. The fastest method of installing Let’s Encrypt client on Linux systems in by cloning the packages from github repositories.
n
First, install git client on the system with the below command:
n
# yum install gitrn
n
3. After git client has been installed, change directory to /opt path and pull Let’s Encrypt software by running the below commands:
n
# cd /optrn# git clone https://github.com/letsencrypt/letsencryptrn
n
Step 3: Generate a Free Let’s Encrypt SSL Certificate for Nginx
n
4. The process of obtaining a free SSL/TLS Certificate for Nginx will be done manually by using Let’s Encrypt Standalone plugin.
n
This method requires that port 80 must be free during the time Let’s Encrypt client validates the server’s identity and generates certificates.
n
So, if Nginx is already running, stop the daemon with the following command and run ss utility to confirm that port 80 is no longer in use in network stack.
n
# service nginx stoprn# systemctl stop nginxrn# ss -tlnrn
n
n
5. Now it’s time to obtain a free SSL Certificate from Let’s Encrypt. Move to Let’s Encrypt installation directory, if you’re not already there, and run the letsencrypt-auto command with the certonly --standalone option and -d flag for each domain or subdomain you wish to generate a certificate as suggested in the below example.
n
# cd /optrn# ./letsencrypt-auto certonly --standalone -d your_domain.tld -d www.yourdomain.tldrn
n
n
6. After a series of packages and dependencies being installed on your machine, Let’s Encrypt will prompt you to enter your account which will be used for lost key recovery or urgent notifications.
n
n
7. Next you should agree the license terms by pressing Enter key.
n
n
8. Finally, if everything went as it should, a congratulation info message will be shown on your bash terminal. The message will also display when the certificate will expire.
n
n
Step 4: Install Let’s Encrypt SSL Certificate in Nginx
n
9. Now that you own a free SSL/TLS Certificate, it’s time to install it in Nginx webserver in order for your domain to use it.
n
All new SSL certificates are placed in /etc/letsencrypt/live/ under a directory named after your domain name. Use ls command to list the Certificate files issued for your domain and identify them.
n
# sudo ls /etc/letsencrypt/live/rn# sudo ls -al /etc/letsencrypt/live/your_domain.tldrn
n
n
10. To install the certificate files in Nginx and enable SSL, open /etc/nginx/nginx.conf file for editing and add the below statements after the last listen line from server block. Use the below illustration as guide.
n
# vi /etc/nginx/nginx.confrn
n
Nginx SSL block excerpt:
n
# SSL configurationrnlisten 443 ssl default_server;rnssl_certificate /etc/letsencrypt/live/your_domain.tld/fullchain.pem;rnssl_certificate_key /etc/letsencrypt/live/your_domain.tld/privkey.pem;rnssl_protocols TLSv1 TLSv1.1 TLSv1.2;rnssl_prefer_server_ciphers on;rnssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';rn
n
n
Replace the domain name string for SSL certificates to match your own domain.
n
11. Finally, restart Nginx service and visit your domain via HTTPS Protocol at https://yourdomain. The page should load smooth, without any certificate error.
n
# systemctl restart nginxrn# service nginx restartrn
n
12. In order to verify the SSL/TLS certificate and its straightness visit the following link:
n
https://www.ssllabs.com/ssltest/analyze.html rn
n
n
n
13. In case you get a notification that your server supports a weak DH key exchange and an overall rating of B grade, generate a new Diffie-Hellman cipher in /etc/nginx/ssl/ directory to protect your server against the Logjam attack by running the following commands.
n
# mkdir /etc/nginx/sslrn# cd /etc/nginx/sslrn# openssl dhparam -out dhparams.pem 4096rn
n
In this example we’ve used a 4096 bit key, which actually takes a long time to generate and puts an extra overhead on your server and on SSL handshake.
n
In case there’s no explicit need to use a key this long and you’re not to paranoid, you should be safe with a 2048 bit key.
n
14. After DH key has been generated, open Nginx configuration file and add the below statements after ssl_ciphers line in order to add the DH key and rise the security level of your domain to an A+ grade.
n
# vi /etc/nginx/nginx.confrn
n
Add following block excerpt to Nginx.conf:
n
ssl_dhparam /etc/nginx/ssl/dhparams.pem;rnssl_session_timeout 30m;rnssl_session_cache shared:SSL:10m;rnssl_buffer_size 8k;rnadd_header Strict-Transport-Security max-age=31536000;rn
n
n
15. Restart Nginx service to apply changes and retest your SSL certificate by clearing the previous result cache from the link mentioned above.
n
# systemctl restart nginxrn# service nginx restartrn
n
n
Step 5: Auto Renew Nginx Free Lets Encrypt SSL Certificates
n
16. Let’s Encrypt CA releases free SSL/TLS certificates valid for 90 days. Certificates can be manually renewed and applied before expiration using the webroot plugin, without stopping your web server, by issuing the below commands:
n
# ./letsencrypt-auto certonly -a webroot --agree-tos --renew-by-default --webroot-path=/usr/share/nginx/html/ -d yourdomain.tld -d www.yourdomain.tldrn# systemctl reload nginxrn
n
n
When running the above command make sure you replace the webroot-path to match your web server document root, specified by Nginx root statement.
n
17. In order to auto renew the certificate before it expires create this bash script from github erikaheidi in /usr/local/bin/ directory and add the below content (the script it’s slightly modified to reflect Nginx setting).
n
# vi /usr/local/bin/cert-renewrn
n
Add following lines to cert-renew file.
n
#!/bin/bashrnrnwebpath='/usr/share/nginx/html/'rndomain=$1rnle_path='/opt/letsencrypt'rnle_conf='/etc/letsencrypt'rnexp_limit=30;rnrnget_domain_list(){rn certdomain=$1rn config_file="$le_conf/renewal/$certdomain.conf"rnrn if [ ! -f $config_file ] ; thenrn echo "[ERROR] The config file for the certificate $certdomain was not found."rn exit 1;rn firnrn domains=$(grep --only-matching --perl-regex "(?<=domains \= ).*" "${config_file}")rn last_char=$(echo "${domains}" | awk '{print substr($0,length,1)}')rnrn if [ "${last_char}" = "," ]; thenrn domains=$(echo "${domains}" |awk '{print substr($0, 1, length-1)}')rn firnrn echo $domains;rn}rnrnif [ -z "$domain" ] ; thenrn echo "[ERROR] you must provide the domain name for the certificate renewal."rn exit 1;rnfirnrncert_file="/etc/letsencrypt/live/$domain/fullchain.pem"rnrnif [ ! -f $cert_file ]; thenrn echo "[ERROR] certificate file not found for domain $domain."rn exit 1;rnfirnrnexp=$(date -d "`openssl x509 -in $cert_file -text -noout|grep "Not After"|cut -c 25-`" +%s)rndatenow=$(date -d "now" +%s)rndays_exp=$(echo \( $exp - $datenow \) / 86400 |bc)rnrnecho "Checking expiration date for $domain..."rnrnif [ "$days_exp" -gt "$exp_limit" ] ; thenrn echo "The certificate is up to date, no need for renewal ($days_exp days left)."rn exit 0;rnelsern echo "The certificate for $domain is about to expire soon. Starting renewal request..."rn domain_list=$( get_domain_list $domain )rn"$le_path"/letsencrypt-auto certonly -a webroot --agree-tos --renew-by-default --webroot-path=”$webpath” --domains "${domain_list}"rn echo "Reloading Nginx..."rnsudo systemctl reload nginxrn echo "Renewal process finished for domain $domain"rn exit 0;rnfirn
n
18. Replace the $webpath variable from the beginning of the script to match your Nginx document root. Make sure the script is executable and the bc calculator is installed on your system by issuing the following commands.
n
# chmod +x /usr/local/bin/cert-renewrn# yum install bcrn
n
You can test the script against your domain by issuing the following command:
n
# /usr/local/bin/cert-renew yourdomain.tldrn
n
n
n19. Finally, to run the certificate renewal process automatically, add a new cron job to execute the script every week in order update the certificate within 30 days before the expiration date.
n
# crontab -ern
n
Add the following line at the bottom of the file.
n
@weekly /usr/local/bin/cert-renew your_domain.tld >> /var/log/your_domain.tld-renew.log 2>&1rn
n
That’s all! Now Nginx server can deliver secure web content with a free SSL/TLS Let’s Encrypt certificate on your website.
n
‘]