Installing Let’s Encrypt SSL Certificates on NGINX server running on Centos7

In this guide we are assuming you are running as root. If not, remember adding sudo before all commands.

We will be using the domain mysite.com as an example with it’s root directory being: /home/mysite/public_html. Remember to replace it with the relevant domain and root directory from your server.

 

1. Installing the required packages:

# yum install epel-release

This installs the EPEL repository on your server.

# yum install certbot

This installs the Let’s Encrypt bot itself.

**Bug – occasionally if EPEL was previously installed, you will get an error that package certbot cannot be found. In this case remove the repository with:

# yum remove epel-release

and then reinstall it again.

2. Setting up your VHOST for the authentication proccess:

Certbot verifies your domain by placing a special file in a special hidden directory called .well-known inside your domain’s root directory. You must edit your VHOST file in order to grant access to this folder.

The location of the VHOST file depends on your server configuration. In our system all the configuration files are loaded from:

/etc/nginx/conf.d/

With the VHOST file itself is called mysite.conf

So you need to edit the file:

 /etc/nginx/conf.d/mysite.conf

In it paste the following line inside your server block:

location ~ /.well-known {  allow all; }

**NOTE: You may have a security setting blocking access to any hidden files or directories. It may look like this:

location ~ /\. {  deny all;  } 

In this case you will need to disable it for certbot to successfully verify your domain.

Make sure to check your configuration with:

# nginx -t

If the configuration is successful you can run:

# service nginx restart

If not, check your configuration files for syntax errors.

 

3. Running certbot:

To run certbot to verify your domain and issue the Let’s Encrypt certificate, you must use the following command:

# certbot certonly -a webroot --webroot-path=/home/mysite/public_html -d mysite.com -d www.mysite.com

If you have any other aliases for your domain, make sure to add them as well after another -d.

During the process certbot will ask for your email address and will require you to accept it’s terms of service.

Afterwards, if everything is OK, you will get the following response:

IMPORTANT NOTES:  - Congratulations! Your certificate and chain have been saved at  /etc/letsencrypt/live/mysite.com/fullchain.pem. Your  cert will expire on 20XX-XX-XX. To obtain a new version of the  certificate in the future, simply run Let's Encrypt again.  - If you lose your account credentials, you can recover through  e-mails sent to yourmail@domain.com*  - Your account credentials have been saved in your Let's Encrypt  configuration directory at /etc/letsencrypt. You should make a  secure backup of this folder now. This configuration directory will  also contain certificates and private keys obtained by Let's  Encrypt so making regular backups of this folder is ideal.  - If like Let's Encrypt, please consider supporting our work by:  Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate  Donating to EFF: https://eff.org/donate-le

*This is the email address you entered previously.

4. Setting up SSL enabled VHOST:

If you already have an SSL enabled VHOST configuration file set for the domain, all you need to do is change the directory from which it reads your certificate and key:

 ssl_certificate /etc/letsencrypt/live/mysite.com/fullchain.pem;  ssl_certificate_key /etc/letsencrypt/live/mysite.com/privkey.pem;

If this is the first time you are setting up SSL for the domain, there is a need to create a new VHOST file that uses SSL on port 443.

First you need to copy your regular VHOST file and rename it. This file will be edited later on.

# cp mysite.conf mysite_ssl.conf

# vi mysite_ssl.conf

Below is the regular VHOST file:

server {  listen 80;  server_name mysite.com www.mysite.com;  root /home/mysite/public_html;  …more settings here...  }

Change the settings according to the example below in your new ssl enabled VHOST:

server {

 listen 443 ssl;  server_name mysite.com www.mysite.com;  root /home/mysite/public_html;  ssl on;  ssl_certificate /etc/letsencrypt/live/mysite.com/fullchain.pem;  ssl_certificate_key /etc/letsencrypt/live/mysite.com/privkey.pem;  ssl_session_cache shared:SSL:1m;  ssl_session_timeout 5m;  ssl_protocols SSLv2 TLSv1 TLSv1.1 TLSv1.2;  ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;  ssl_prefer_server_ciphers on;  …more settings here…  }

Next run:

# nginx -t

To ensure everything is correct and then:

# service nginx restart

If everything is correct you can now access your domain via https://mysite.com

 

5. Setting up automatic renewal for the SSL

To renew the ssl certificate all you need to do is run the following command:

# certbot renew

And then reload NGINX

# systemctl reload nginx

This will check all active Let’s Encrypt certificates on the server and if one is about to expire, renew it automatically.

You can set up a cronjob to do it on set dates.

First open the cronjob editor:

# crontab -e

And then add the following two lines:

0 16 1,15 * * /usr/bin/certbot renew >> /var/log/le-renew.log 10 16 1,15 * * /usr/bin/systemctl reload nginx

This will effectively run the certbot, write the result to a log file. 10 minutes later it will reload NGINX in order to retrieve the new settings into account.

In my example the cronjob will run twice each month. On the 1st and 15th at 16:00/16:10, but you may want to use your own preferred times. You can use https://crontab.guru/ to easily edit the cron time settings and then copy and paste the result into the cron editor.

 

 

---

 

Installing an SSL Certificate