Secure Nginx with Let's Encrypt on CentOS 8 - MS TV Life.COM

Secure Nginx with Let’s Encrypt on CentOS 8

Secure Nginx with Let’s Encrypt on CentOS 8

We hope this post helped you to find out  Secure Nginx with Let’s Encrypt on CentOS 8

Let’s Encrypt is a free, automated, and open certificates authority developed by the Web Safety Analysis Group (ISRG) that gives free SSL certificates.

Certificates issued by Let’s Encrypt are trusted by all main browsers and legitimate for 90 days from the problem date.

On this tutorial, we’ll present a step-by-step directions about find out how to set up a free Let’s Encrypt SSL certificates on CentOS Eight working Nginx as an online server. We’ll additionally present find out how to configure Nginx to make use of the SSL certificates and allow HTTP/2.

Conditions #

Earlier than you proceed, just be sure you have met the next stipulations:

  • You have got a website identify pointing to your public IP. We’ll use instance.com.
  • You have got Nginx put in in your CentOS server.
  • Your firewall is configured to simply accept connections on ports 80 and 443.

Installing in Certbot #

Certbot is a free command-line software that simplifies the method for acquiring and renewing Let’s Encrypt SSL certificates from and auto-enabling HTTPS in your server.

The certbot bundle will not be included in the usual CentOS Eight repositories, however it may be downloaded from the seller’s web site.

Run the following wget command as root or sudo user to download the certbot script to the /usr/local/bin directory:

sudo wget -P /usr/local/bin https://dl.eff.org/certbot-auto

Once the download is complete, make the file executable:

sudo chmod +x /usr/local/bin/certbot-auto

Generating Strong Dh (Diffie-Hellman) Group #

Diffie–Hellman key change (DH) is a technique of securely exchanging cryptographic keys over an unsecured communication channel.

Generate a brand new set of 2048 bit DH parameters by typing the next command:

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

In order for you you may change the important thing size as much as 4096 bits, however the era could take greater than 30 minutes, relying on the system entropy.

Acquiring a Let’s Encrypt SSL certificates #

To acquire an SSL certificates for the area, we’re going to make use of the Webroot plugin that works by creating a brief file for validating the requested area within the ${webroot-path}/.well-known/acme-challenge listing. The Let’s Encrypt server makes HTTP requests to the short-term file to validate that the requested area resolves to the server the place certbot runs.

To make it extra easy we’re going to map all HTTP requests for .well-known/acme-challenge to a single listing, /var/lib/letsencrypt.

The next instructions will create the listing and make it writable for the Nginx server.

sudo mkdir -p /var/lib/letsencrypt/.well-knownsudo chgrp nginx /var/lib/letsencryptsudo chmod g+s /var/lib/letsencrypt

To avoid duplicating code, create the following two snippets which will be included in all Nginx server block files:

sudo mkdir /etc/nginx/snippets
/etc/nginx/snippets/letsencrypt.conf
location ^~ /.well-known/acme-challenge/ {
  allow all;
  root /var/lib/letsencrypt/;
  default_type "text/plain";
  try_files $uri =404;
}
/etc/nginx/snippets/ssl.conf
ssl_dhparam /etc/ssl/certs/dhparam.pem;

ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 30s;

add_header Strict-Transport-Security "max-age=63072000" always;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;

The snippet above consists of the chippers really helpful by Mozilla, allows OCSP Stapling, HTTP Strict Transport Safety (HSTS), and enforces few safety‑centered HTTP headers.

As soon as the snippets are created, open the area server block and embody the letsencrypt.conf snippet, as proven beneath:

/etc/nginx/conf.d/example.com.conf
server {
  listen 80;
  server_name example.com www.example.com;

  include snippets/letsencrypt.conf;
}

Reload the Nginx configuration for changes to take effect:

sudo systemctl reload nginx

Run the certbot tool with the webroot plugin to obtain the SSL certificate files for your domain:

sudo /usr/local/bin/certbot-auto certonly --agree-tos --email admin@example.com --webroot -w /var/lib/letsencrypt/ -d example.com -d www.example.com

If this the first time you invoke certbot, the tool will install the missing dependencies.

Once the SSL certificate is successfully obtained, certbot will print the following message:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2020-03-12. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Now that you have the certificate files, you can edit your domain server block as follows:

/etc/nginx/conf.d/example.com.conf
server {
    listen 80;
    server_name www.example.com example.com;

    include snippets/letsencrypt.conf;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    server_name www.example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
    include snippets/ssl.conf;
    include snippets/letsencrypt.conf;

    return 301 https://example.com$request_uri;
}

server {
    listen 443 ssl http2;
    server_name example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
    include snippets/ssl.conf;
    include snippets/letsencrypt.conf;

    # . . . other code
}

With the configuration above we are forcing HTTPS and redirecting the www to non www version.

Finally, reload the Nginx service for changes to take effect:

sudo systemctl reload nginx

Now, open your web site utilizing https://, and also you’ll discover a inexperienced lock icon.

Should you check your area utilizing the SSL Labs Server Test, you’ll get an A+ grade, as proven within the picture beneath:

Secure Nginx with Let's Encrypt on CentOS 8

Auto-renewing Let’s Encrypt SSL certificates #

Let’s Encrypt’s certificates are legitimate for 90 days. To robotically renew the certificates earlier than they expire, create a cronjob that can run twice a day and robotically renew any certificates 30 days earlier than expiration.

Use the crontab command to create a brand new cronjob:

sudo crontab -e

Paste the following line:

0 */12 * * * root test -x /usr/local/bin/certbot-auto -a ! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && /usr/local/bin/certbot-auto -q renew --renew-hook "systemctl reload nginx"

Save and close the file.

To test the renewal process, you can use the certbot command followed by the --dry-run switch:

sudo ./certbot-auto renew --dry-run

If there are not any errors, it implies that the check renewal course of was profitable.

Conclusion #

On this tutorial, we’ve proven you find out how to use the Let’s Encrypt consumer, certbot to obtain SSL certificates to your area. We’ve additionally created Nginx snippets to keep away from duplicating code and configured Nginx to make use of the certificates. On the finish of the tutorial, we’ve arrange a cronjob for computerized certificates renewal.

We hope the Secure Nginx with Let’s Encrypt on CentOS 8 help you. If you have any query regarding Secure Nginx with Let’s Encrypt on CentOS 8 drop a comment below and we will get back to you at the earliest.

We hope this post helped you to find out  Secure Nginx with Let’s Encrypt on CentOS 8 . You may also want to see – How to Install Anaconda on CentOS 8

Copy link
Powered by Social Snap