How to configure Nginx with Let’s Encrypt on CentOS 7

See all Sun CentOS Linux related FAQs
How do I secure my Nginx web server with Let’s Encrypt free ssl certificate on my CentOS 7 or RHEL 7 server? How to configure Nginx with Let’s Encrypt on CentOS 7 server?

Let’s Encrypt is a free, automated, and open certificate authority for your website or any other projects. This page shows how to use Let’s Encrypt to install a free SSL certificate for Nginx web server. You will learn how to properly deploy Diffie-Hellman on your server to get SSL labs A+ score on a CentOS/RHEL 7.

How to secure Nginx with Let’s Encrypt on CentOS 7

Our sample setup is as follows:
How to secure configure Nginx with Let's Encrypt on CentOS RHEL 7

How to secure Nginx with Let’s Encrypt on CentOS 7

The procedure is as follows to obtaining an SSL certificate:

  1. Get software:
    git clone
  2. Create /.well-known/acme-challenge/ directory:
    mkdir -p /var/www/html/.well-known/acme-challenge/
  3. Obtaining an SSL certificate your domain: --issue -w /DocumentRootPath/ -d your-domain
  4. Configure TLS/SSL on Nginx:
    vi /etc/nginx/sites-available/default
  5. Setup cron job setup for auto renewal
  6. Open port 443 (HTTPS):
    sudo firewall-cmd --add-service=https

Let us see how to install client and use it on a CentOS/RHEL 7 to get an SSL certificate from Let’s Encrypt.

Step 1 – Install the required software

Install the git, wget, curl and bc packages with the yum command:
$ sudo yum install git bc wget curl

Step 2 – Install Let’s Encrypt client

Clone the repo:
$ cd /tmp/
$ git clone

clone git
Install client on to your system, run:
$ cd
$ sudo -i
# ./ --install

install client on centos 7 or rhel 7
After install, you must close current terminal and reopen again to make the alias take effect. Or simply type the following source command:
$ sudo source ~/.bashrc

Step 3 – Create acme-challenge directory

Type the following mkdir command. Make sure you set D to actual DocumentRoot path as per your needs:
# D=/usr/share/nginx/html
# mkdir -vp ${D}/.well-known/acme-challenge/
###---[ NOTE: Adjust permission as per your setup ]---###
# chown -R nginx:nginx ${D}/.well-known/acme-challenge/
# chmod -R 0555 ${D}/.well-known/acme-challenge/

Also create directory to store SSL certificate:
# mkdir -p /etc/nginx/ssl/

Step 4 – Create dhparams.pem file

Run openssl command:
# cd /etc/nginx/ssl/
# openssl dhparam -out dhparams.pem -dsaparam 4096

Step 5 – Obtain a certificate for domain

Issue a certificate for your domain: --issue -w /path/to/www/htmlRoot/ -d -k 2048
sudo --issue -w /usr/local/nginx/html -d -k 2048

CentOS Obtain Let's Encrypt certificate for domain

Step 6 – Configure Nginx

You just successfully requested an SSL Certificate from Let’s Encrypt for your CentOS 7 or RHEL 7 server. It is time to configure it. Edit default.ssl.conf:
$ sudo vi /etc/nginx/conf.d/default.ssl.conf
Append the following config:

server {
    #------- Start SSL config with http2 support ----#
    listen http2;
    ssl on;
    ssl_certificate /etc/nginx/ssl/;
    ssl_certificate_key /etc/nginx/ssl/;
    ssl_session_timeout 30m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_cache shared:SSL:10m;
    ssl_dhparam /etc/nginx/ssl/;
    ssl_prefer_server_ciphers on;
    ## Improves TTFB by using a smaller SSL buffer than the nginx default
    ssl_buffer_size 8k;
    ## Enables OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    ## Send header to tell the browser to prefer https to http traffic
    add_header Strict-Transport-Security max-age=31536000;
    ## SSL logs ##
    access_log /var/log/nginx/ssl_access.log;
    error_log /var/log/nginx/ssl_error.log;
    #-------- END SSL config -------##
    # Add rest of your config below like document root, php and more ##
    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    # Allow php apps
    location ~ \.php$ {
        root /usr/share/nginx/html;
        fastcgi_index  index.php;
        include        fastcgi_params;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
## END SSL ######

Save and close the file in vi/vim text editor.

Step 7 – Install certificate

Install the issued cert to nginx server:
# --installcert -d \
--keypath /etc/nginx/ssl/ \
--fullchainpath /etc/nginx/ssl/ \
--reloadcmd 'systemctl reload nginx'

install let us encrupt certifcate in rhel 7
Make sure port os open with the ss command or netstat command:
# ss -tulpn

Step 8 – Firewall configuration

You need to open port 443 (HTTPS) on your server so that clients can connect it. Update the rules as follows:
$ sudo firewall-cmd --add-service=https
$ sudo firewall-cmd --runtime-to-permanent

Step 9 – Test it

Fire a web browser and type your domain such as:
Test it with SSLlabs test site:
RHEL CentOS 7 Nginx SSL Labs A+ Test result for Nginx with Lets Encrypt Certificate

Step 10 – commands

List all certificates:
# --list
Renew a cert for domain named
# --renew -d
Please note that a cron job will try to do renewal a certificate for you too. This is installed by default as follows (no action required on your part). To see job run:
# crontab -l
Sample outputs:

8 0 * * * "/root/"/ --cron --home "/root/" > /dev/null

Upgrade client:
# --upgrade
Getting help:
# --help | more


You learned how to install and set up Let’s Encrypt TLS/SSL certificate on your CentOS Linux 7 server. See project home page here for more information.

This entry is 3 of 3 in the Linux, Nginx, MySQL, PHP (LEMP) Stack for CentOS/RHEL 7 Tutorial series. Keep reading the rest of the series:
  1. How to install and use Nginx on CentOS 7 / RHEL 7
  2. How to install PHP 7.2 on CentOS 7/RHEL 7
  3. How to configure Nginx with Let's Encrypt on CentOS 7
This entry is 4 of 15 in the Secure Web Server with Let's Encrypt Tutorial series. Keep reading the rest of the series:
  1. Set up Lets Encrypt on Debian/Ubuntu Linux
  2. Secure Lighttpd with Lets Encrypt certificate on Debian/Ubuntu
  3. Configure Nginx with Lets Encrypt certificate on Alpine Linux
  4. Nginx with Lets Encrypt on CentOS 7
  5. Apache with Lets Encrypt Certificates on RHEL 8
  6. CentOS 8 and Apache with Lets Encrypt Certificates
  7. Install Lets Encrypt certificates on CentOS 8 for Nginx
  8. Forcefully renew Let's Encrypt certificate
  9. OpenSUSE Linux and Nginx with Let's Encrypt Certificates
  10. Configure Nginx to use TLS 1.2 / 1.3 only
  11. Let's Encrypt wildcard certificate with and Cloudflare DNS
  12. Nginx with Let's Encrypt on Ubuntu 18.04 with DNS Validation
  13. AWS Route 53 Let's Encrypt wildcard certificate with
  14. Convert AWS Route 53 to Cloudflare Let's Encrypt DNS with
  15. Let's Encrypt email notification when a cert is skipped, renewed, or error

🥺 Was this helpful? Please add a comment to show your appreciation or feedback.

nixCrat Tux Pixel Penguin
Hi! 🤠
I'm Vivek Gite, and I write about Linux, macOS, Unix, IT, programming, infosec, and open source. Subscribe to my RSS feed or email newsletter for updates.

0 comments… add one

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre> for code samples. Your comment will appear only after approval by the site admin.