How to install Let’s Encrypt certificate on CentOS 7 (NGINX)

As you know, the previous article I instructed you to install LEMP on CentOS.  You can read it here.

 

let's encrypt nginx

Today’s article I will guide you on how to install Let’s Encrypt SSL on LEMP.

Install SSL Let’s Encrypt on LEMP using CentOS

I chose Certbot client because it makes installation Let’s Encrypt made easy.

First, you need to install EPEL repository:

yum install epel-release

Now install certbot-nginx with the following command:

yum install certbot-nginx

Step 2: Make the www redirect without www with NGINX

In this case, I will redirect from www to non-www.

When adding the domain we have a configuration file nginx for example: /etc/nginx/domains/yourdomain.com.conf.

Create an nginx configuration file for the domain (replace your domain name with yours):

nano /etc/nginx/domains/yourdomain.com.redirect.conf

Copy and paste this code into:

server { server_name www.example.com; return 301 $scheme://example.com$request_uri; }

Save and exit nano.

Restart nginx: systemctl restart nginx

Step 3: Obtain a certificate

Get the certificate and settings for the domain you want:

certbot --nginx -d example.com -d www.example.com

If the first time you run it will ask for your email address. Next, it asks if you want to receive an email or not.

Finally, it asks how to configure HTTPS you choose 2 for safety.

Now your website has successfully installed Let’s Encrypt certificate.

Let’s Encrypt certificate is only valid for 90 days. So you need to create cronjob automatically renewed:

export VISUAL=nano; crontab -e

Add this line to:

15 3 * * * /usr/bin/certbot renew --quiet

Meaning: Run the renewal command at 3:15 am. If the certificate has not expired, it does nothing.

Step 4: Update Diffe-Hellman parameters

If you now test the website using the SSL Labs Server Test,  you will only earn B.

To resolve this issue, run the following command:

openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Once successful, open the nginx configuration file:

nano /etc/nginx/domains/khamphaso.com.conf

Paste the following line into the server block:

ssl_dhparam /etc/ssl/certs/dhparam.pem;
Install Let's Encrypt

By default, the CertBot configuration section does not configure http2 you correct: 

Install Let's Encrypt
*** Note: Replace khamphaso.com by yourdomain.com

Step 5: Activate HTTP / 2 for NGINX on CentOS

Currently, NGINX is having the following issue:

It is compiled with OpenSSL from version 1.0.2 and earlier. Therefore popular browsers still use the old HTTP / 1.1 protocol. You see more problems in this article.

You can check in more detail the command: nginx -V. will see OpenSSL version.

The only workaround is to compile the source with the new Open SSL version. Yes, your website will run via HTTP / 2 protocol.

So this article you have installed Let’s Encrypt certificate on CentOS for NGINX.

In general, CentOS OS currently has the old OpenSSL version that caused HTTP / 2 problems

About the Author: admin

You might like

Leave a Reply

Your email address will not be published. Required fields are marked *