How to configure Nginx with Let’s Encrypt on CentOS 8

How do I secure my Nginx web server with Let’s Encrypt free ssl certificate on my CentOS 8 server? How to set up and configure Nginx with Let’s Encrypt on CentOS 8?

Let’s Encrypt is a free, automated, and open certificate authority for your website, email server and more. This page shows how to use Let’s Encrypt to install certificate for Nginx web server get SSL labs A+ score on a CentOS 8.

How to secure Nginx with Let’s Encrypt on CentOS 8

The procedure is as follows to obtaining an SSL certificate:

  1. Get software:
    git clone
  2. Create nginx config for your domain:
    vi /etc/nginx/conf.d/your-domain-name.conf
  3. Obtain an SSL certificate your domain: --issue -d your-domain-name --nginx
  4. Configure TLS/SSL on Nginx:
    vi /etc/nginx/conf.d/your-domain-name.conf
  5. Setup cron job setup for auto renewal
  6. Open port 443 (HTTPS) using Firwalld on CentOS 8:
    sudo firewall-cmd --add-service=https

Let us see how to install client and use it on a CentOS 8 to get an SSL certificate from Let’s Encrypt.

Step 1 – Install the required software

Install the git, wget, curl and bc packages with the yum command:
sudo yum install git bc wget curl socat

Step 2 – Install Let’s Encrypt client

Clone the repo:
cd /tmp/
git clone

Install client on to your system, run:
sudo -i ## be root user ##
./ --install

After install, you must close current terminal and reopen again to make the alias take effect. Or simply type the following source command:
sudo source ~/.bashrc
Verify installation by printing version number: --version

Step 3 – Basic nginx config for http server

I am going to create a new config for domain named (feel free to replace with your actual domain name) as follows:
# vi /etc/nginx/conf.d/
Append the following code:

# http port 80
server {
    listen      80;
    access_log  /var/log/nginx/http_c8nginx.cyberciti.biz_access.log;
    error_log   /var/log/nginx/http_c8nginx.cyberciti.biz_error.log;
    root        /usr/share/nginx/html;

Save and close the file. Test nginx set up and reload the nginx server as follows:
# nginx -t
# systemctl restart nginx.service

Step 4 – Create dhparams.pem file

Run openssl command but create a new directory using the mkdir command:
# mkdir -pv /etc/nginx/ssl/
# cd /etc/nginx/ssl/
# openssl dhparam -out dhparams.pem -dsaparam 4096

See “how to speed up OpenSSL/GnuPG Entropy For Random Number Generation On Linux” for more info.

Step 5 – Obtain a certificate for domain

Issue a certificate for your domain:
sudo --issue -d -k 2048 --nginx
## for two domains ##
sudo --issue -d -d -k 2048 --nginx
## get certs for three domains ##
sudo --issue -d -d -d -k 2048 --nginx
## let us get cert for domain only ##
sudo --issue -d -k 4096 --nginx

Step 6 – Configure Nginx

You just successfully requested an SSL Certificate from Let’s Encrypt for your CentOS 8 Linux server. It is time to configure it. Update for ssl config as follows:
$ sudo vi /etc/nginx/conf.d/
Append the following config:

## http port 80: START config ##
server {
    listen 80;
    listen [::]:80;
    access_log  /var/log/nginx/http_c8nginx.cyberciti.biz_access.log;
    error_log   /var/log/nginx/http_c8nginx.cyberciti.biz_error.log;
    root        /usr/share/nginx/html;
    # redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
    return 301 https://$host$request_uri;
## https port 443: START config ##
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    root /usr/share/nginx/html;
    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
    ssl_certificate  /etc/nginx/ssl/;
    ssl_certificate_key /etc/nginx/ssl/;
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
    ssl_session_tickets off;
    ssl_dhparam /etc/nginx/ssl/;
    # Supports Firefox 27, Android 4.4.2, Chrome 31, Edge, IE 11 on Windows 7, Java 8u31, OpenSSL 1.0.1, Opera 20, and Safari 9 and above
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers off;
    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000" always;
    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    # replace with the IP address of your resolver
    ## add other config below such as fastcgi or php and so on ##

Save and close the file in vi/vim text editor.

Step 7 – Install certificate

Install the issued cert to nginx server:
# --installcert -d \
--key-file /etc/nginx/ssl/ \
--fullchain-file /etc/nginx/ssl/ \
--reloadcmd 'systemctl reload nginx.service'

Make sure port os open with the ss command or netstat command:
# ss -tulpn

Step 7 – Firewall configuration

You need to open port 443 (HTTPS) on your server so that clients can connect it using Firewalld. Update the rules as follows:
$ sudo firewall-cmd --add-service=https
$ sudo firewall-cmd --runtime-to-permanent

Step 8 – Test it

Fire a web browser and type your domain such as:
Test it with SSLlabs test site:

Step 9 – commands

List all certificates:
# --list
Sample outputs:

Main_Domain            KeyLength  SAN_Domains  Created                       Renew  "4096"     no           Mon Dec 30 16:57:10 UTC 2019  Fri Feb 28 16:57:10 UTC 2020

Renew a cert for domain named
# --renew -d
Please note that a cron job will try to do renewal a certificate for you too. This is installed by default as follows (no action required on your part). To see job run:
# crontab -l
Sample outputs:

8 0 * * * "/root/"/ --cron --home "/root/" > /dev/null

Upgrade client:
# --upgrade
Getting help:
# --help | more

This entry is 3 of 3 in the Linux, Nginx, MySQL, PHP (LEMP) Stack for CentOS 8 Tutorial series. Keep reading the rest of the series:
  1. Nginx on CentOS 8
  2. PHP 7.x on CentOS 8 For Nginx
  3. Setup Let's Encrypt on CentOS 8 for Nginx

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 0 comments... add one

CategoryList of Unix and Linux commands
Disk space analyzersdf ncdu pydf
File Managementcat cp mkdir tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
0 comments… add one

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum