Let’s Encrypt is a certificate authority (CA) that provides free certificates for Transport Layer Security (TLS) encryption. It simplifies the process of creation, validation, signing, installation, and renewal of certificates by providing a software client—Certbot.
It was developed by the Internet Security Research Group (ISRG) and trusted by all major browsers. It is used to automate the process of certificate creation, validation, signing, implementation, and renewal of certificates for secure websites.
The certificate is valid for only 90 days, so you will need to renew it manually or or set up the auto renewal system,
Let’s encrypt supports automated certification issuance for Apache, Nginx, Plex, and HAproxy. We will cover nginx in this guide.
# Related Content
- How to Secure Nginx with Letsencrypt on Rocky Linux/Centos 8
- How to Secure Nginx with Letsencrypt on Ubuntu 20.04
- How to Install and Setup Nginx, WordPress and Mysql 8 in Rocky Linux/Centos 8
- How to Install Nginx and configure Virtual host in Ubuntu 20.04
# Prerequisites:
- A Rocky Linux 9 server with internet access and public IP
- A valid domain name with DNS pointed to the server
- Root access to the server
# Step 1 – Logging in to the server
Log in to the server using ssh user@server -p port
:
ssh rocky@10.2.10.10
# Step 2 – Ensure the OS packages are up to date
Update all of your packages to their latest available versions.
sudo dnf update -y
# Step 3 – Install and enable Nginx
Install Nginx
sudo dnf install -y nginx
Start and enable nginx
systemctl start nginx
systemctl enable nginx
# Step 4 – Create Nginx Configurations
For this lets create an nginx configurations. Save this in the file /etc/nginx/conf.d/site1.citizix.com.conf
:
server {
listen 80;
server_tokens off;
client_max_body_size 10M;
server_name site1.citizix.com;
access_log /var/log/nginx/site1.citizix.com/access.log;
error_log /var/log/nginx/site1.citizix.com/error.log;
ignore_invalid_headers off;
## Deny illegal Host headers
if ($host !~* ^(site1.citizix.com)$ ) {
return 444;
}
root /var/www/site1.citizix.com;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
}
}
# Step 5 – Install the Certbot Client
The Certbot is a command-line tool used to simplifies the process for obtaining and renewing Let’s Encrypt SSL certificates for your website.
We will use snapd to install the required packages. You’ll need to install snapd and make sure you follow any instructions to enable classic snap support.
To install snapd in Rocky Linux 9, use the following command:
sudo dnf install epel-release
sudo dnf install snapd
Once installed, the systemd unit that manages the main snap communication socket needs to be enabled:
$ sudo systemctl enable --now snapd.socket
To enable classic snap support, enter the following to create a symbolic link between /var/lib/snapd/snap
and /snap
:
$ sudo ln -s /var/lib/snapd/snap /snap
Either log out and back in again or restart your system to ensure snap’s paths are updated correctly.
If you have any Certbot packages installed using an OS package manager, you should remove them before installing the Certbot snap to ensure that when you run the command certbot
the snap is used rather than the installation from your OS package manager.
- Run this command on the command line on the machine to install Certbot.
sudo snap install --classic certbot
Execute the following instruction on the command line on the machine to ensure that the certbot
command can be run.
sudo ln -s /snap/bin/certbot /usr/bin/certbot
# Step 6 – Enable services on firewall
If using firewalld enable http and https in firewall:
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
Then reload to apply the configurations
sudo firewall-cmd --reload
You can verify with this command:
sudo firewall-cmd --permanent --list-all
# Step 7 – Obtaining a Certificate
Stop nginx:
sudo systemctl stop nginx
Run this command to get a certificate and have Certbot edit your nginx configuration automatically to serve it, turning on HTTPS access in a single step.
sudo certbot --nginx
If you’re feeling more conservative and would like to make the changes to your nginx configuration by hand, run this command.
sudo certbot certonly --nginx
This is the command I run in my system:
sudo certbot certonly --nginx --non-interactive --agree-tos --email admin@citizix.com -d site1.citizix.com
Output
# sudo certbot --nginx --non-interactive --agree-tos --email admin@citizix.com -d site1.citizix.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Account registered.
Requesting a certificate for site1.citizix.com
Performing the following challenges:
http-01 challenge for site1.citizix.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/conf.d/site1.citizix.com.conf
Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/site1.citizix.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled
https://site1.citizix.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/site1.citizix.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/site1.citizix.com/privkey.pem
Your certificate will expire on 2021-11-05. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again with the "certonly" option. To non-interactively
renew *all* of your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Start nginx:
sudo systemctl start nginx
Updated Nginx config to redirect all traffic to https:
server {
server_tokens off;
client_max_body_size 10M;
server_name site1.citizix.com;
access_log /var/log/nginx/site1.citizix.com/access.log;
error_log /var/log/nginx/site1.citizix.com/error.log;
ignore_invalid_headers off;
## Deny illegal Host headers
if ($host !~* ^(site1.citizix.com)$ ) {
return 444;
}
root /var/www/site1.citizix.com;
location / {
proxy_pass http://127.0.0.1:8096;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/site1.citizix.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/site1.citizix.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = site1.citizix.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name site1.citizix.com;
return 404; # managed by Certbot
}
# Conclusion
In this guide we learnt how to secure an Nginx virtual host with Letsencrypt ssl.