Add Let’s Encrypt SSL certificate for Nginx website

0
84

Let’s Encrypt is a free SSL certificate provider (Certificate Authority), trusted and used by many individuals and organizations.

In this article, I will guide you step by step installing the Let’s Encrypt certificate on CentOS 6, 7 and Nginx. Let’s Encrypt is an SSL certificate of Domain Validation type, which means that after installing you will have a green lock bar on your browser. Let’s Encrypt also has many other SSL.

1. Install Let’s Encrypt SSL certificate for Nginx

We will clone Let’s Encrypt source code to the /opt/letsencrypt directory. This step performs the same on CentOS 6 and 7.

# Install Git
yum -y install git

# Clone Let's Encrypt repository
git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

NOTE: Update Let’s Encrypt source code.

Sometimes you should update the Let’s Encrypt source code from Github to get the latest feature. Or sometimes the Encrypt Lets certificate does not automatically renew even though crontab is enabled.

cd /opt/letsencrypt && git pull

Nếu gặp thông báo lỗi như bên dưới:

error: Your local changes to 'letsencrypt-auto' would be overwritten by merge. Aborting.
Please, commit your changes or stash them before you can merge.

You will need to use this command:

cd /opt/letsencrypt && git reset --hard && git pull

You can set up to automatically update the Let’s Encrypt source code via crontab.

crontab -e

Copy and paste the code below into the terminal window

0 0 1 * * cd /opt/letsencrypt && git pull

2. Add the SSL Let’s Encrypt certificate for the domain

There are many ways to add the SSL Let’s Encrypt certificate to the domain. I will use –standalone option.

Until May 2016, Certbot is called letsencrypt or letsencrypt-auto, depending on how to install. Some tutorials on the Internet still use this old name, this tutorial will use certbot-auto, all similar.

NOTE: If you are using CloudFlare, turn off the hidden IP function by clicking the cloud from Yellow to Gray to install Let’s Encrypt.

# Stop Nginx
service nginx stop

# Issue SSL Let's Encrypt
/opt/letsencrypt/certbot-auto certonly --standalone

Wait a while for Let’s Encrypt to install the necessary tools. Then enter your email address, then press the Enter key.

 Add Let's Encrypt SSL certificate for Nginx website

Accept the rule by entering a, then press Enter.

 Add Let's Encrypt SSL certificate for Nginx website

Next, enter the domain name that will use the SSL certificate, then press Enter. This step you only enter the non-www and www version of a domain or subdomain. When you want to add another domain / subdomain, please see the instructions below.

If there is no problem, you will see the following message:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/tricksmagical.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/tricksmagical.com/privkey.pem
   Your cert will expire on 2019-06-25. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Note the red information:

  • /etc/letsencrypt/live/tricksmagical.com/: directory containing certificate files
  • 2019-06-25: expiry date of the certificate (90 days from the date of installation)

NOTE: Install SSL Let’s Encrypt certificate for many websites

If you need to add the domain/subdomain to install Let’s Encrypt SSL certificate for Nginx, you just need to run the command below and enter the domain:

# Stop Nginx
service nginx stop

# Install Let's Encrypt
/opt/letsencrypt/certbot-auto certonly --standalone

Now the new domain will have a separate folder containing the necessary certificate file.

3. Config Nginx

After we have the certificate files, we will edit the Nginx configuration file. For example, if your domain name is tricksmagical.com, the configuration file will have a link called /etc/nginx/domains/tricksmagical.com.conf. You can read this article to know my domain configuration: Deploy NodeJS Application on CentOS 7

Remember to replace tricksmagical.com with your domain.

NOTE: Only configure Nginx when you have successfully issued the SSL certificate.

Create DH parameters 2048 bit file (create only once on VPS)

mkdir /etc/nginx/ssl/
openssl dhparam 2048 -out /etc/nginx/ssl/dhparam.pem

Edit domain configuration with Vim

vim /etc/nginx/domains/tricksmagical.com.conf

Add after listen 80;

listen 443 ssl;

Add in block server {

# SSL
    ssl_certificate /etc/letsencrypt/live/tricksmagical.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/tricksmagical.com/privkey.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;

# Redirect to the correct place, if needed
    set $https_redirect 0;
    if ($server_port = 80) { set $https_redirect 1; }
    if ($https_redirect = 1) {
        return 301 https://tricksmagical.com$request_uri;
    }

# prevents 502 bad gateway error
    large_client_header_buffers 8 32k;
    keepalive_timeout       60;

This is my full configuration with the PHP website:

server {
    listen 80;
    listen 443 ssl;
    server_name  www.tricksmagical tricksmagical;

# SSL
    ssl_certificate /etc/letsencrypt/live/tricksmagical/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/tricksmagical/privkey.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;

# Redirect to the correct place, if needed
    set $https_redirect 0;
    if ($server_port = 80) { set $https_redirect 1; }
    if ($https_redirect = 1) {
        return 301 https://tricksmagical$request_uri;
    }

# prevents 502 bad gateway error
    large_client_header_buffers 8 32k;
    keepalive_timeout       60;

    error_log /home/nginx/tricksmagical/log/error.log error;
    root /home/nginx/tricksmagical/public_html/public;
    location / {
        rewrite ^/(.*)$ /index.php?url=$1 last;
    }
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
    
    include /etc/nginx/conf.d/php.conf;
    include /etc/nginx/conf.d/staticfiles.conf;
    include /etc/nginx/conf.d/block.conf;

}

Now restart nginx.

service restart nginx

4. Let’s Encrypt SSL certificate for Nginx auto-renewal

The Let’s Encrypt certificate can only be used within 90 days and you need to rerun the command line below to renew it.

/opt/letsencrypt/certbot-auto renew --pre-hook "service nginx stop" --post-hook "service nginx start"

However, I will guide you to configure to automatically renew this certificate with crontab, so we will use SSL for free for life without having to worry about renewing.

Open crontab config file:

crontab -e

Copy and paste this

30 2 * * * /opt/letsencrypt/certbot-auto renew --pre-hook "service nginx stop" --post-hook "service nginx start" >> /var/log/le-renew.log

The crontab will automatically run the Let’s Encrypt extension command at 2:30 am every day and check if it has expired and proceed with the renewal. Before renewing, stop Nginx, then start again immediately. Thus, almost no effect on the website. That’s it, you can safely use Let’s Encrypt.

5. Remove Let’s Encrypt certificate

When you no longer use Let’s Encrypt SSL certificate for Nginx, switch to another provider’s use and want to delete the installed Let’s Encrypt certificate, use the command below:

# Remove Let's Encrypt
/opt/letsencrypt/certbot-auto delete

Next enter the certificate number corresponding to the domain name you want to delete, press Enter and everything will be cleaned up.

Thank you for reading. If you have trouble please leave a comment.

Leave a Reply

avatar