Free TLS/SSL certificate from Let’s Encrypt on Centos 6.5/7 and nginx in 6 simple steps

in #nginx7 years ago (edited)

Lets Encrypt is a free, automated and open Certificate Authority, an initiative supported by online big companies such as facebook, cisco etc to make web more safe.

I will be guiding you to setup Let’s Encrypt on Centos6.5/7 and nginx webserver. The following steps can be modified as according to your environment needs like other linux distros such as ubuntu etc. Setting this up on ubuntu shouldn’t differ much.

Here’s what you need to get started   

  • Centos 6.5/7 server where you have SSH access or shell access. (You must have SSH access to be able to use Let’s Encrypt)
  • A registered domain name.  www.yourdomainname.com   

Steps:

  1. Point domain name to your server     
    You can point your domain name (both version along with www) to your server by configuring the proper A record provided by your web hosting, usually you do this by logging into your domain name account accessing DNS settings where you can enter the DNS settings, these process should be more or less same for various domain name providers. Let’s Encrypt will only issue certificate to a server which is accessible via domain name.

  2. Now access your Centos6.5/7 via SSH and install nginx webserver using following commands  
    sudo yum install epel-release      
    sudo yum install nginx
           
    Now start nginx       
    sudo systemctl start nginx        
    Now you should be able to go to http://www.yourdomainname.com and you should see something like this



  3. Now Install Let’s Encrypt Client application using git      
    Install git      
    sudo yum install git  
          
    Clone and Install Let’s Encrypt from official github repository to your server at /opt/letsencrypt by      
    sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt   

  4. Request SSL Certificate for yourdomainname.com      
    While running Let’s Encrypt SSL Certificate request script it listens on port 80 for Let’s Encrypt to verify that the domain name belongs to your server, so we need to close any programs that is currently running on port 80. So we need to shutdown our nginx server for now, if your are running on different version of Centos the commands to restart, stop, start nginx could be different.
    Usually following command should work
    Now to stop nginx   
    sudo systemctl stop nginx   
    Now Request SSL Certificate   
    cd /opt/letsencrypt
    Use the standalone plugin to request for certificate by executing following command
    ./letsencrypt-auto certonly –standalone
    At the first prompt add your email address and second prompt domain names as follows
    [email protected] and yourdomainname.com www.yourdomainname.com
    If everything goes well the script will output a message with your certificate expiry date usually in 3 months.

  5. Now configure nginx to use the Let’s Encrypt Certificate by
    sudo nano /etc/nginx/sites-available/default

    Now change the server block and comment out 2 lines with listen 80 and add listen 443 ssl; for eg:
    # listen 80 default_server;
    # listen [::]:80 default_server ipv6only=on;
    listen 443 ssl;

    Now add your domain names and ssl certificate like this   
    server_name yourdomainname.com www.yourdomainname.com;  
    ssl   on;  
    ssl_certificate    /etc/letsencrypt/live/yourdomainname.com/fullchain.pem;  
    ssl_certificate_key    /etc/letsencrypt/live/yourdomainname.com/privkey.pem;
    root /usr/share/nginx/html;  index index.html index.htm;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;  
    ssl_prefer_server_ciphers on;  
    ssl_ciphers 'EECDH+AESGCM:EDH+AES256+EECDH:AES256+EDH';

    Now add a server block to redirect port 80 traffic to port 443    
    server {    
           listen 80;    
           server_name  yourdomainname.com www.yourdomainname.com;    
           location / {        
                    return 301 https://www.yourdomainname.com$request_uri;    
           }
    }

    Now Save and exit the file and start nginx to put the changes into effect by  
    sudo systemctl start nginx  
    At this point your SSL certificate should be in place and you can test by visiting your domain name.

  6. Since Let’s Encrypt Certificate are valid for 90 days you can automate that renewal process.
    Here’s how you do it
    Add the following location block under ssl server block on your nginx configuration
    location ~ /.well-known {  
    allow all;
    }

    Next we need to setup Let’s Encrypt configuration file for automation of SSL Certificate request.   Copy cli.ini to /usr/local/etc/le-renew-webroot.ini
    sudo cp /opt/letsencrypt/examples/cli.ini /usr/local/etc/le-renew-webroot.ini
    Now edit the configuration file to fit your needs   
    sudo nano /usr/local/etc/le-renew-webroot.ini
    Uncomment line with email and add your email which you entered before  such as
    email = [email protected]
    Uncomment line with domains and add domains as follows (maintaining the order)
    domains = yourdomainname.com, www.yourdomainname.com
    Then uncomment the webroot path and make sure it matches the webroot path specified in you nginx configuration as follows
    webroot-path = /usr/share/nginx/html
    Now cd into cd /opt/letsencrypt and test the renewal request script using the following command
    cd /opt/letsencrypt
    ./letsencrypt-auto certonly -a webroot --renew-by-default --config /usr/local/etc/le-renew-webroot.ini
    Assuming the configuration are correct the script should output Congratulation message with expiry date of the certificate. If the expiry date is less than 30 days the renewal request will be sent.   
    Now to automate the autorenewal process we will be using a shell script and use a cronjob that will schedule this script to be run every week.
    Now download the script by using following command   
    sudo curl -L -o /usr/local/sbin/le-renew-webroot http://do.co/le-nginx-renew
    Make it executable
    sudo chmod +x /usr/local/sbin/le-renew-webroot
    The le-renew-webroot script takes an argument the domain name whose certificate you want to check for renewal. If the renewal isn’t necessary it will simply output the remaining days to expire with the domain name.   
    Now run a cronjob to execute this script to check for certificate renewal every week by running following command   
    sudo nano -c /etc/crontab   
    Then add this line to execute the script every monday at 1:30 am, the output of the log will be saved on /var/log/le-renewal.log
    30 1 * * 1 /usr/local/sbin/le-renew-webroot >> /var/log/le-renewal.log

    Save and exit the cron file. 


Now your domain is using a Free SSL/TLS Certificate from Let’s Encrypt with auto renewal every 3 months.