What is LetsEncrypt?
Let’s Encrypt is a certificate Authority that launched in 2016 providing free TSL SSL certificates that renew every 90 days. There are several validation methods for LetsEncrypt to verify the domain you are generating the certificate for is one you actually control. In this guide we will be utilizing the webroot method.
This guide assumes you already have a Nginx Server. If you do not have one setup, please check out Compile Nginx From Source On CentOS. This method of setting up LetsEncrypt will work on CentOS 6 & CentOS 7.
Setup LetsEncrypt
Get the LetsEncrypt certbot script:
wget -o /usr/local/sbin/certbot-auto https://dl.eff.org/certbot-auto
Make It Executable:
chmod a+x /usr/local/sbin/certbot-auto
After that you will want to generate the certificate for your domain by using the following command
/usr/local/sbin/certbot-auto certonly --webroot --webroot-path=/etc/nginx/html -d domain.com -d www.domain.com
Replacing /etc/nginx/html with the path to your document root and each domain you would like to include in the certificate with a -d
If this is the first time you are running certbot, it will prompt you to agree to the terms of service.
If the document root is correct along with the domains it will output a congratulations message and the certificate will be stored in
/etc/letsencrypt/live/domain.com
Replacing domain.com with the first domain you added to the certificate.
How To Setup Nginx to Use The LetsEncrypt SSL
First make sure nginx is compiled with SSL support by typing
nginx -V
It should return the configuration options and it should contain
--with-http_ssl_module
If it does not, you will need to recompile Nginx with SSL support. After you have confirmed SSL support in nginx you can proceed with setting up the SSL configuration in Nginx
Edit your Nginx Configuration. You will want to duplicate the current domain configuration but set listen to 443, ssl on, and include the certificate files. Here is an example:
server {
listen 443;
ssl on;
server_name domain.com;
ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
root /etc/nginx/html;
}
Make sure to replace domain.com with the domain you configured with LetsEncrypt. Once you have finished that, you can go ahead an restart Nginx.
Configure LetsEncrypt To Auto-Renew
Now that you have fully configured the domain on SSL. You will want to setup a crontab to ensure the certificate renews every 90 days. To do this you will want to add the following crontab entry
00 3 * * * /usr/local/sbin/certbot-auto renew --quiet --renew-hook "/usr/sbin/service nginx restart"
That is it for configuring nginx to use LetsEncrypt for free SSL on your site.