In this article, we will have explained the necessary steps to secure Nginx with let’s encrypt on CentOS 8. Before continuing with this tutorial, make sure you are logged in as a user with sudo privileges. All the commands in this tutorial should be run as a non-root user.
Let’s Encrypt is a certificate authority that provides free SSL certificates for the website, operating since April 2016, and supported by companies and internet organizations of the world such as Mozilla, Cisco, Chrome, Akamai, etc.
Secure Nginx with Let’s Encrypt on CentOS
Step 1. The first command will update the package lists to ensure you get the latest version and dependencies.
1 2 3 | sudodnfinstallepel-release sudodnfupdate sudodnfinstallmod_sslopenssl |
Before install the Let’s Encrypt SSL domain should be well accessed and use the Nginx virtual host. Read the tutorial how to install Nginx on CentOS 8.
Step 2. Install Certbot.
The certbot package is not included in the standard CentOS 8 repositories, but it can be downloaded from the vendor’s website:
1 2 | sudowget-P/usr/local/binhttps://dl.eff.org/certbot-auto sudochmod+x/usr/local/bin/certbot-auto |
Next, generate a new set of 2048 bit DH parameters using the following command:
1 | sudoopenssldhparam-out/etc/ssl/certs/dhparam.pem2048 |
To obtain an SSL certificate for the domain, we’re going to use the Webroot plugin that works by creating a temporary file for validating the requested domain in the ${webroot-path}/.well-known/acme-challenge directory:
1 2 3 | sudomkdir-p/var/lib/letsencrypt/.well-known sudochgrpnginx/var/lib/letsencrypt sudochmodg+s/var/lib/letsencrypt |
To avoid duplicating code, create the following two snippets which will be included in all Nginx server block files:
1 | sudomkdir/etc/nginx/snippets |
1 2 3 4 5 6 7 8 | $nano/etc/nginx/snippets/letsencrypt.conf location^~/.well-known/acme-challenge/{ allowall; root/var/lib/letsencrypt/; default_type"text/plain"; try_files$uri=404; } |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | $nano/etc/nginx/snippets/ssl.conf ssl_dhparam/etc/ssl/certs/dhparam.pem; ssl_session_timeout1d; ssl_session_cacheshared:SSL:10m; ssl_session_ticketsoff; ssl_protocolsTLSv1.2TLSv1.3; ssl_ciphersECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphersoff; ssl_staplingon; ssl_stapling_verifyon; resolver8.8.8.88.8.4.4valid=300s; resolver_timeout30s; add_headerStrict-Transport-Security"max-age=63072000"always; add_headerX-Frame-OptionsSAMEORIGIN; add_headerX-Content-Type-Optionsnosniff; |
Once the snippets are created, open the domain server block and include the letsencrypt.conf snippet, as shown below:
1 2 3 4 5 6 7 8 | $nano/etc/nginx/conf.d/example.com.conf server{ listen80; server_nameexample.comwww.example.com; includesnippets/letsencrypt.conf; } |
Reload Nginx configuration for changes to take effect:
1 | sudosystemctlreloadnginx |
Then, run this command to get a certificate and have Certbot edit your Nginx configuration automatically to serve it, turning on HTTPS access in a single step:
1 | sudo/usr/local/bin/certbot-autocertonly--agree-tos--emailadmin@your-domain.com--webroot-w/var/lib/letsencrypt/-dyour-domain.com-dwww.your-domain.com |
Finally steps, edit your domain server block as follows:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 | $nano/etc/nginx/conf.d/example.com.conf server{ listen80; server_namewww.your-domain.comyour-domain.com; includesnippets/letsencrypt.conf; return301https://$host$request_uri; } server{ listen443sslhttp2; server_namewww.your-domain.com; ssl_certificate/etc/letsencrypt/live/example.com/fullchain.pem; ssl_certificate_key/etc/letsencrypt/live/example.com/privkey.pem; ssl_trusted_certificate/etc/letsencrypt/live/example.com/chain.pem; includesnippets/ssl.conf; includesnippets/letsencrypt.conf; return301https://example.com$request_uri; } server{ listen443sslhttp2; server_nameexample.com; ssl_certificate/etc/letsencrypt/live/example.com/fullchain.pem; ssl_certificate_key/etc/letsencrypt/live/example.com/privkey.pem; ssl_trusted_certificate/etc/letsencrypt/live/example.com/chain.pem; includesnippets/ssl.conf; includesnippets/letsencrypt.conf; # . . . other code } |
Reload the Nginx service for changes to take effect:
1 | sudosystemctlreloadnginx |
Step 4. Checking your Certificate Status.
You can ensure that Certbot created your SSL certificate correctly by using the SSL Server Test from the cloud security company Qualys. Open the following link in your preferred web browser, replacing your-domain.com with your base domain:
1 | https://www.ssllabs.com/ssltest/analyze.html?d=your-domain.com |
Congratulation, you have learned how to secure Nginx with let’s encrypt on CentOS 8. If you have any question, please leave a comment below.
