How to configure Nginx with Let’s Encrypt on CentOS 7

How do I secure my Nginx web server with Let’s Encrypt free ssl certificate on my CentOS 7 or RHEL 7 server? How to configure Nginx with Let’s Encrypt on CentOS 7 server?

Let’s Encrypt is a free, automated, and open certificate authority for your website or any other projects. This page shows how to use Let’s Encrypt to install a free SSL certificate for Nginx web server. You will learn how to properly deploy Diffie-Hellman on your server to get SSL labs A+ score on a CentOS/RHEL 7.
Tutorial requirements
Operating system/appCentOS 7 + Apache with mod_ssl
Root privileges required Yes
Difficulty Intermediate (rss)
Estimated completion time 20m
Table of contents

ADVERTISEMENTS

How to secure Nginx with Let’s Encrypt on CentOS 7

Our sample setup is as follows:
How to secure configure Nginx with Let's Encrypt on CentOS RHEL 7

How to secure Nginx with Let’s Encrypt on CentOS 7

The procedure is as follows to obtaining an SSL certificate:

  1. Get acme.sh software:
    git clone https://github.com/Neilpang/acme.sh.git
  2. Create /.well-known/acme-challenge/ directory:
    mkdir -p /var/www/html/.well-known/acme-challenge/
  3. Obtaining an SSL certificate your domain:
    acme.sh --issue -w /DocumentRootPath/ -d your-domain
  4. Configure TLS/SSL on Nginx:
    vi /etc/nginx/sites-available/default
  5. Setup cron job setup for auto renewal
  6. Open port 443 (HTTPS):
    sudo firewall-cmd --add-service=https

Let us see how to install acme.sh client and use it on a CentOS/RHEL 7 to get an SSL certificate from Let’s Encrypt.

Step 1 – Install the required software

Install the git, wget, curl and bc packages with the yum command:
$ sudo yum install git bc wget curl

Step 2 – Install acme.sh Let’s Encrypt client

Clone the repo:
$ cd /tmp/
$ git clone https://github.com/Neilpang/acme.sh.git

clone acme.sh git
Install acme.sh client on to your system, run:
$ cd acme.sh/
$ sudo -i
# ./acme.sh --install

install acme.sh client on centos 7 or rhel 7
After install, you must close current terminal and reopen again to make the alias take effect. Or simply type the following source command:
$ sudo source ~/.bashrc

Step 3 – Create acme-challenge directory

Type the following mkdir command. Make sure you set D to actual DocumentRoot path as per your needs:
# D=/usr/share/nginx/html
# mkdir -vp ${D}/.well-known/acme-challenge/
###---[ NOTE: Adjust permission as per your setup ]---###
# chown -R nginx:nginx ${D}/.well-known/acme-challenge/
# chmod -R 0555 ${D}/.well-known/acme-challenge/

Also create directory to store SSL certificate:
# mkdir -p /etc/nginx/ssl/cyberciti.biz/

Step 4 – Create dhparams.pem file

Run openssl command:
# cd /etc/nginx/ssl/cyberciti.biz/
# openssl dhparam -out dhparams.pem -dsaparam 4096

Step 5 – Obtain a certificate for domain

Issue a certificate for your domain:
acme.sh --issue -w /path/to/www/htmlRoot/ -d example.com -k 2048
sudo acme.sh --issue -w /usr/local/nginx/html -d server2.cyberciti.biz -k 2048

CentOS Obtain Let's Encrypt certificate for domain

Step 6 – Configure Nginx

You just successfully requested an SSL Certificate from Let’s Encrypt for your CentOS 7 or RHEL 7 server. It is time to configure it. Edit default.ssl.conf:
$ sudo vi /etc/nginx/conf.d/default.ssl.conf
Append the following config:

## START: SSL/HTTPS server2.cyberciti.biz ###
server {
    #------- Start SSL config with http2 support ----#
    listen 10.21.136.134:443 http2;
    server_name server2.cyberciti.biz;
    ssl on;
    ssl_certificate /etc/nginx/ssl/cyberciti.biz/server2.cyberciti.biz.cer;
    ssl_certificate_key /etc/nginx/ssl/cyberciti.biz/server2.cyberciti.biz.key;
    ssl_session_timeout 30m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
    ssl_session_cache shared:SSL:10m;
    ssl_dhparam /etc/nginx/ssl/cyberciti.biz/dhparams.pem;
    ssl_prefer_server_ciphers on;
 
    ## Improves TTFB by using a smaller SSL buffer than the nginx default
    ssl_buffer_size 8k;
 
    ## Enables OCSP stapling
    ssl_stapling on;
    resolver 8.8.8.8;
    ssl_stapling_verify on;
 
    ## Send header to tell the browser to prefer https to http traffic
    add_header Strict-Transport-Security max-age=31536000;
 
    ## SSL logs ##
    access_log /var/log/nginx/ssl_access.log;
    error_log /var/log/nginx/ssl_error.log;
    #-------- END SSL config -------##
    # Add rest of your config below like document root, php and more ##
    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }
    # Allow php apps
    location ~ \.php$ {
        root /usr/share/nginx/html;
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index  index.php;
        include        fastcgi_params;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
    }
}
## END SSL server2.cyberciti.biz ######

Save and close the file in vi/vim text editor.

Step 7 – Install certificate

Install the issued cert to nginx server:
# acme.sh --installcert -d server2.cyberciti.biz \
--keypath /etc/nginx/ssl/cyberciti.biz/server2.cyberciti.biz.key \
--fullchainpath /etc/nginx/ssl/cyberciti.biz/server2.cyberciti.biz.cer \
--reloadcmd 'systemctl reload nginx'

install let us encrupt certifcate in rhel 7
Make sure port os open with the ss command or netstat command:
# ss -tulpn

Step 8 – Firewall configuration

You need to open port 443 (HTTPS) on your server so that clients can connect it. Update the rules as follows:
$ sudo firewall-cmd --add-service=https
$ sudo firewall-cmd --runtime-to-permanent

Step 9 – Test it

Fire a web browser and type your domain such as:
https://server2.cyberciti.biz
Test it with SSLlabs test site:
https://www.ssllabs.com/ssltest/analyze.html?d=server2.cyberciti.biz
RHEL CentOS 7 Nginx SSL Labs A+ Test result for Nginx with Lets Encrypt Certificate

Step 10 – acme.sh commands

List all certificates:
# acme.sh --list
Renew a cert for domain named server2.cyberciti.biz
# acme.sh --renew -d server2.cyberciti.biz
Please note that a cron job will try to do renewal a certificate for you too. This is installed by default as follows (no action required on your part). To see job run:
# crontab -l
Sample outputs:

8 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

Upgrade acme.sh client:
# acme.sh --upgrade
Getting help:
# acme.sh --help | more

Conclusion

You learned how to install and set up Let’s Encrypt TLS/SSL certificate on your CentOS Linux 7 server. See acme.sh project home page here for more information.

This entry is 3 of 3 in the Linux, Nginx, MySQL, PHP (LEMP) Stack for CentOS/RHEL 7 Tutorial series. Keep reading the rest of the series:
  1. How to install and use Nginx on CentOS 7 / RHEL 7
  2. How to install PHP 7.2 on CentOS 7/RHEL 7
  3. How to configure Nginx with Let's Encrypt on CentOS 7
This entry is 4 of 13 in the Secure Web Server with Let's Encrypt Tutorial series. Keep reading the rest of the series:
  1. Set up Lets Encrypt on Debian/Ubuntu Linux
  2. Secure Lighttpd with Lets Encrypt certificate on Debian/Ubuntu
  3. Configure Nginx with Lets Encrypt certificate on Alpine Linux
  4. Nginx with Lets Encrypt on CentOS 7
  5. Apache with Lets Encrypt Certificates on RHEL 8
  6. CentOS 8 and Apache with Lets Encrypt Certificates
  7. Install Lets Encrypt certificates on CentOS 8 for Nginx
  8. Forcefully renew Let's Encrypt certificate
  9. OpenSUSE Linux and Nginx with Let's Encrypt Certificates
  10. Configure Nginx to use TLS 1.2 / 1.3 only
  11. Let's Encrypt wildcard certificate with acme.sh and Cloudflare DNS
  12. Nginx with Let's Encrypt on Ubuntu 18.04 with DNS Validation
  13. AWS Route 53 Let's Encrypt wildcard certificate with acme.sh
🐧 If you liked this page, please support my work on Patreon or with a donation.
🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:
CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04

ADVERTISEMENTS
0 comments… add one

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.