Free TLS/SSL certificate from Let’s Encrypt on Centos 6.5/7 and nginx in 6 simple steps
Lets Encrypt is a free, automated and open Certificate Authority, an initiative supported by online big companies such as facebook, cisco etc to make web more safe.
I will be guiding you to setup Let’s Encrypt on Centos6.5/7 and nginx webserver. The following steps can be modified as according to your environment needs like other linux distros such as ubuntu etc. Setting this up on ubuntu shouldn’t differ much.
Here’s what you need to get started
- Centos 6.5/7 server where you have SSH access or shell access. (You must have SSH access to be able to use Let’s Encrypt)
- A registered domain name. www.yourdomainname.com
Steps:
- Point domain name to your server
You can point your domain name (both version along with www) to your server by configuring the proper A record provided by your web hosting, usually you do this by logging into your domain name account accessing DNS settings where you can enter the DNS settings, these process should be more or less same for various domain name providers. Let’s Encrypt will only issue certificate to a server which is accessible via domain name.
- Now access your Centos6.5/7 via SSH and install nginx webserver using following commands
sudo yum install epel-release
sudo yum install nginx
Now start nginx
sudo systemctl start nginx
Now you should be able to go to http://www.yourdomainname.com and you should see something like this
- Now Install Let’s Encrypt Client application using git
Install git
sudo yum install git
Clone and Install Let’s Encrypt from official github repository to your server at /opt/letsencrypt by
sudo git clone
https://github.com/letsencrypt/letsencrypt
/opt/letsencrypt
- Request SSL Certificate for yourdomainname.com
While running Let’s Encrypt SSL Certificate request script it listens on port 80 for Let’s Encrypt to verify that the domain name belongs to your server, so we need to close any programs that is currently running on port 80. So we need to shutdown our nginx server for now, if your are running on different version of Centos the commands to restart, stop, start nginx could be different.
Usually following command should work
Now to stop nginx
sudo systemctl stop nginx
Now Request SSL Certificate
cd /opt/letsencrypt
Use the standalone plugin to request for certificate by executing following command
./letsencrypt-auto certonly –standalone
At the first prompt add your email address and second prompt domain names as follows
[email protected] and yourdomainname.com www.yourdomainname.com
If everything goes well the script will output a message with your certificate expiry date usually in 3 months.
- Now configure nginx to use the Let’s Encrypt Certificate by
sudo nano /etc/nginx/sites-available/default
Now change the server block and comment out 2 lines with listen 80 and add listen 443 ssl; for eg:
# listen 80 default_server;
# listen [::]:80 default_server ipv6only=on;
listen 443 ssl;
Now add your domain names and ssl certificate like this
server_name yourdomainname.com www.yourdomainname.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/yourdomainname.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomainname.com/privkey.pem;
root /usr/share/nginx/html; index index.html index.htm;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AES256+EECDH:AES256+EDH';
Now add a server block to redirect port 80 traffic to port 443
server {
listen 80;
server_name yourdomainname.com www.yourdomainname.com;
location / {
return 301 https://www.yourdomainname.com$request_uri;
}
}
Now Save and exit the file and start nginx to put the changes into effect by
sudo systemctl start nginx
At this point your SSL certificate should be in place and you can test by visiting your domain name.
- Since Let’s Encrypt Certificate are valid for 90 days you can automate that renewal process.
Here’s how you do it
Add the following location block under ssl server block on your nginx configuration
location ~ /.well-known {
allow all;
}
Next we need to setup Let’s Encrypt configuration file for automation of SSL Certificate request. Copy cli.ini to /usr/local/etc/le-renew-webroot.ini
sudo cp /opt/letsencrypt/examples/cli.ini /usr/local/etc/le-renew-webroot.ini
Now edit the configuration file to fit your needs
sudo nano /usr/local/etc/le-renew-webroot.ini
Uncomment line with email and add your email which you entered before such as
email = [email protected]
Uncomment line with domains and add domains as follows (maintaining the order)
domains = yourdomainname.com, www.yourdomainname.com
Then uncomment the webroot path and make sure it matches the webroot path specified in you nginx configuration as follows
webroot-path = /usr/share/nginx/html
Now cd into cd /opt/letsencrypt and test the renewal request script using the following command
cd /opt/letsencrypt
Assuming the configuration are correct the script should output Congratulation message with expiry date of the certificate. If the expiry date is less than 30 days the renewal request will be sent.
./letsencrypt-auto certonly -a webroot --renew-by-default --config /usr/local/etc/le-renew-webroot.ini
Now to automate the autorenewal process we will be using a shell script and use a cronjob that will schedule this script to be run every week.
Now download the script by using following command
sudo curl -L -o /usr/local/sbin/le-renew-webroot
http://do.co/le-nginx-renew
Make it executable
sudo chmod +x /usr/local/sbin/le-renew-webroot
The le-renew-webroot script takes an argument the domain name whose certificate you want to check for renewal. If the renewal isn’t necessary it will simply output the remaining days to expire with the domain name.
Now run a cronjob to execute this script to check for certificate renewal every week by running following command
sudo nano -c /etc/crontab
Then add this line to execute the script every monday at 1:30 am, the output of the log will be saved on /var/log/le-renewal.log
30 1 * * 1 /usr/local/sbin/le-renew-webroot >> /var/log/le-renewal.log
Save and exit the cron file.
Now your domain is using a Free SSL/TLS Certificate from Let’s Encrypt with auto renewal every 3 months.