AWS Certified Solutions Architect

CENTOS LINUX NGINX RHEL SSL WEBSERVER

Complete guide to configure SSL on Nginx with Let’s Encrypt on CentOS/RHEL

Securing your websites with an SSL certificate is now a must for all website admins, else the web browsers will mark the website as unsafe to visit, causing the loss of website traffic. But SSL certificate is not cheap, but there is a way around to get an SSL certificate for free with only downside that we need to renew SSL cert every 90 days but that process can also be automated.

Pre-Requisites

 We will need a registered Domain address,
 We will need a CentOS/RHEL or Ubuntu server with Ngnix installed. we have created a detailed ARTICLE HERE for nginx installation,

Install Let’s Encrypt on CentOS/RHEL

To install Certbot on CentOS, we will need to first install EPEL repositories first on our system. Install EPEL using following command on your system,

RHEL/CentOS 7

# rpm -Uvh https://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-7-11.noarch.rpm

RHEL/CentOS 6 (64 Bit)

# rpm -Uvh http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

RHEL/CentOS 6 (32 Bit)

# rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm

Now we to install certbot use the following command,

# yum install certbot-nginx

Once the certbot has been installed, we can then issue the SSL certificate,

# certbot –nginx -d example.com -d www.example.com

Here example.com is the name of the website for which the certificate will be issues, replace this with the name of your website. If this is the first time you are using Certbot, you will be asked to enter an Email address & also to agree to User Agreement,

Now certbot will then check with let’s encrypt server to verify that you are the web admin of the domain that you are trying to get an SSL for (usually you need to place two files with random text provided by let’s encrypt at location http://domain-name/.well-known/acme-challenge. more details on that HERE).

Once site ownership has been confirmed, we will be asked to configure redirect settings for Nginx, you can choose 1 (No-Redirect) or 2 (Redirect). If you choose 1, than you will have to configure redirect yourselves in Nginx configuration afterwards, with option 2 , the configuration will be updated & Nginx will be reloaded to implement the new changes made.

Our cert is now installed & new configurations also have been loaded. As mentioned above, we need to renew the cert every 90 days, for that we can create a new cronjob.

Automatic Certificate Renewal

Following cron job will take care of the automatic certificate renewal,

# crontab -e

05 01 30 * * /usr/bin/certbot renew –quiet

this job will renew certificate every 30 days at 1:05 AM. We can also run the following command to dry-run or test the renewal of certificate,

# certbot renew –dry-run

Tags :

Popular Posts

MongoDB Security

MongoDB Security Checklist

Overriding the default Linux kernel 20-second TCP socket connect timeout

Create CentOS bootable USB installer on Mac OSX

How to Use SSL/TLS with Node.js

HTTPS Everywhere

Leave a Reply

Your email address will not be published. Required fields are marked *