How To Secure Nginx With Let’s Encrypt On
Let’s Encrypt is a new Certificate Authority (CA) that provides a way to obtain and install free TLS/SSL certificates, thereby enabling encrypted HTTPS on web servers. It streamlines the process by providing a software client, Certbot, that attempts to automate most (if not all) of the required steps. Currently, the entire process of obtaining and installing a certificate is fully automated on both Apache and Nginx web servers.
Before following this tutorial, you’ll need a few things.
A CentOS 7 server with a non-root user who has sudo privileges.
You must own or control the registered domain name that you wish to use the certificate with.
A DNS a Record that points your domain to the public IP address of your server.
After the requirements are met, we can start the installation.
Step 1 — Installing the Certbot Let’s Encrypt Client
The first step to using Let’s Encrypt to obtain an SSL certificate is to install the certbot software on your server.
Enable access to the EPEL repository on your server by typing:
Once the repository has been enabled, you can obtain the certbot-nginx package by typing:
The certbot Let’s Encrypt client is now installed and ready to use.
Step 2 — Setting up Nginx
If you haven’t installed Nginx yet, you can do so now. The EPEL repository should already be enabled from the previous section, so you can install Nginx by typing:
Then, start Nginx using systemctl:
Certbot can automatically configure SSL for Nginx, but it needs to be able to find the correct server block in your config. It does this by looking for a server_name directive that matches the domain you’re requesting a certificate for. If you’re starting out with a fresh Nginx install, you can update the default config file using vi or your favorite text editor:
Find the existing server_name line:
_ underscore with your domain name:
Save the file and quit your editor. If you are using vi, enter 😡, then y when prompted, to save and quit. Verify the syntax of your configuration edits with:
If that runs with no errors, reload Nginx to load the new configuration:
Certbot will now be able to find the correct server block and update it. Now we’ll update our firewall to allow HTTPS traffic.
Step 3 — Updating the Firewall
If you have a firewall enabled, make sure port 80 and 443 are open to incoming traffic. If you are not running a firewall, you can skip ahead.
If you have a firewalld firewall running, you can open these ports by typing:
If have an iptables firewall running, the commands you need to run are highly dependent on your current rule set. For an initial rule set, you can add HTTP and HTTPS access by typing:
We’re now ready to run Certbot and fetch our certificates.
Step 4 — Obtaining a Certificate
Certbot provides a variety of ways to obtain SSL certificates, through various plugins. The Nginx plugin will take care of reconfiguring Nginx and reloading the config whenever necessary:
This runs certbot with the –nginx plugin, using -d to specify the names we’d like the certificate to be valid for.
If this is your first time running certbot, you will be prompted to enter an email address and agree to the terms of service. After doing so, certbot will communicate with the Let’s Encrypt server, then run a challenge to verify that you control the domain you’re requesting a certificate for. The configuration will be updated, and Nginx will reload to pick up the new settings. certbot will wrap up with a message telling you the process was successful and where your certificates are stored:
Your certificates are downloaded, installed, and loaded. Try reloading your website using https:// and notice your browser’s security indicator. It should represent that the site is properly secured, usually with a green lock icon.
Step 5 — Setting Up Auto Renewal
Let’s Encrypt’s certificates are only valid for ninety days. This is to encourage users to automate their certificate renewal process. We’ll need to set up a regularly run command to check for expiring certificates and renew them automatically.
To run the renewal check daily, we will use cron, a standard system service for running periodic jobs. We tell cron what to do by opening and editing a file called a crontab.
Your text editor will open the default crontab which is an empty text file at this point. Paste in the following line, then save and close it:
The 15 3 * * * part of this line means “run the following command at 3:15 am, every day”. You may choose any time.
The renew command for Certbot will check all certificates installed on the system and update any that are set to expire in less than thirty days. –quiet tells Certbot not to output information or wait for user input.
cron will now run this command daily. All installed certificates will be automatically renewed and reloaded when they have thirty days or less before they expire.
In this tutorial we’ve installed the Let’s Encrypt client certbot, downloaded SSL certificates for our domain, configured Nginx to use these certificates, and set up automatic certificate renewal.