[CentOS 7/AlmaLinux 8] Implementing Let's Encrypt for NGINX
Introduction
Let's Encrypt facilitates the installation of TLS/SSL certificates through a free and fully automated process. This guide covers the steps to install a Let’s Encrypt certificate on CentOS 7 or AlmaLinux 8 with NGINX as your web server.
Preparation
Ensure NGINX is installed on your server before proceeding with the Let's Encrypt setup. For installation instructions, refer to our guide on installing NGINX, which also applies to AlmaLinux 8.
Step for AlmaLinux 8 Only: Import GPG Key Repository
Skip this step if configuring NGINX on CentOS 7.
To install the updated GPG keys on AlmaLinux 8, execute:
rpm --import https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux
1. Installing Certbot
First, ensure the EPEL repository is installed:
yum install epel-release
Next, install Certbot. On CentOS 7, run:
yum install certbot-nginx
For AlmaLinux 8, use:
dnf install certbot python3-certbot-nginx
2. Modifying NGINX Configuration
Edit the NGINX configuration file:
Locate the line server_name _; and replace the underscore with your domain name, as shown below (substitute "yourdomain.ltd" with your actual domain):
server_name yourdomain.ltd www.yourdomain.ltd;
Save and exit the file (press Esc, type :wq, and press Enter).
Verify the changes with:
nginx -t
Then reload NGINX:
systemctl reload nginx
3. Opening Ports 80 and 443
Ensure that ports 80 and 443 are open on your firewall.
To open these ports using iptables, run:
iptables -I INPUT -p tcp --dport 80 -j ACCEPT
iptables -I INPUT -p tcp --dport 443 -j ACCEPT
For firewalld, execute:
firewall-cmd --add-service=http
firewall-cmd --add-service=https
firewall-cmd --runtime-to-permanent
4. Obtaining the Certificate
Issue an SSL certificate with the following command (replace "yourdomain.ltd" with your actual domain):
certbot --nginx -d yourdomain.ltd -d www.yourdomain.ltd
You will be prompted to enter an email address, agree to the Terms of Service, and decide whether to share your email with the Electronic Frontier Foundation (optional).
5. Renewing the Certificate
Let's Encrypt certificates are valid for 90 days. To manually renew a certificate, run:
certbot renew --dry-run
For automatic renewal, set up a cron job:
crontab -e
Add the following line to the crontab:
*/12 * * * * root /usr/bin/certbot renew >/dev/null 2>&1
Save and exit (press Esc, type :wq, and press Enter).
This command will run twice daily, checking if the certificates are within 30 days of expiration and renewing them if necessary.
6. Verifying the SSL Certificate
To verify the SSL installation, run:
ls /etc/letsencrypt/live/yourdomain.ltd/
A successful installation will display:
README cert.pem chain.pem fullchain.pem privkey.pem
Alternatively, you can open your website, click on the padlock icon in the address bar, and view the certificate details for confirmation.
