Configure Nginx with Let’s Encrypt on CentOS 8

3 min read

Step 1 – Install the required software

Install the git, wget, curl and bc packages with the yum command:
sudo yum install git bc wget curl socat

Step 2 – Install acme.sh Let’s Encrypt client

Clone the repo:
cd /tmp/
git clone https://github.com/Neilpang/acme.sh.git


Install acme.sh client on to your system, run:
cd acme.sh/
sudo -i ## be root user ##
./acme.sh --install


After install, you must close current terminal and reopen again to make the alias take effect. Or simply type the following source command:
sudo source ~/.bashrc
Verify installation by printing version number:
acme.sh --version
https://github.com/Neilpang/acme.sh
v2.8.4

Step 3 – Basic nginx config for http server

I am going to create a new config for domain named example.com (feel free to replace example.com with your actual domain name) as follows:
# vi /etc/nginx/conf.d/example.com.conf
Append the following code:

 http port 80
server {
listen 80;
server_name example.com;
access_log /var/log/nginx/http_example.com_access.log;
error_log /var/log/nginx/http_example.com_error.log;
root /usr/share/nginx/html;
}

Save and close the file. Test nginx set up and reload the nginx server as follows:
# nginx -t
# systemctl restart nginx.service

Step 4 – Create dhparams.pem file

Run openssl command but create a new directory using the mkdir command:
# mkdir -pv /etc/nginx/ssl/example.com/
# cd /etc/nginx/ssl/example.com/
# openssl dhparam -out dhparams.pem -dsaparam 4096

See “how to speed up OpenSSL/GnuPG Entropy For Random Number Generation On Linux” for more info.

Step 5 – Obtain a certificate for domain

Issue a certificate for your domain:
sudo acme.sh --issue -d example.com -k 2048 --nginx
## for two domains ##
sudo acme.sh --issue -d example.com -d www.example.com -k 2048 --nginx
## get certs for three domains ##
sudo acme.sh --issue -d example.com -d www.example.com -k 2048 --nginx
## let us get cert for example.com domain only ##
sudo acme.sh --issue -d example.com -k 4096 --nginx

Step 6 – Configure Nginx

You just successfully requested an SSL Certificate from Let’s Encrypt for your CentOS 8 Linux server. It is time to configure it. Update for ssl config as follows:
$ sudo vi /etc/nginx/conf.d/example.com
Append the following config:

 http port 80: START http://example.com/ config
server {
listen 80;
listen [::]:80;
access_log /var/log/nginx/http_example.com_access.log;
error_log /var/log/nginx/http_example.com_error.log;
server_name example.com;
root /usr/share/nginx/html;
#
# redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
#
return 301 https://$host$request_uri;
}
https port 443: START https://example.com/ config
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.com;
root /usr/share/nginx/html;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate ssl_certificate /etc/nginx/ssl/example.com/example.com.cer; ssl_certificate_key /etc/nginx/ssl/example.com/example.com.key; ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; # about 40000 sessions ssl_session_tickets off; ssl_dhparam /etc/nginx/ssl/example.com/dhparams.pem; # # Supports Firefox 27, Android 4.4.2, Chrome 31, Edge, IE 11 on Windows 7, Java 8u31, OpenSSL 1.0.1, Opera 20, and Safari 9 and above # ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; # HSTS (ngx_http_headers_module is required) (63072000 seconds) add_header Strict-Transport-Security "max-age=63072000" always; # OCSP stapling ssl_stapling on; ssl_stapling_verify on; # replace with the IP address of your resolver resolver 8.8.8.8; ## add other config below such as fastcgi or php and so on ##
}

Save and close the file in vi/vim text editor.

Step 7 – Install certificate

Install the issued cert to nginx server:
# acme.sh --installcert -d example.com \
--key-file /etc/nginx/ssl/example.com/example.com.key \
--fullchain-file /etc/nginx/ssl/example.com/example.com.cer \
--reloadcmd 'systemctl reload nginx.service'


Make sure port os open with the ss command or netstat command:
# ss -tulpn

Step 7 – Firewall configuration

You need to open port 443 (HTTPS) on your server so that clients can connect it using Firewalld. Update the rules as follows:
$ sudo firewall-cmd --add-service=https
$ sudo firewall-cmd --runtime-to-permanent

Step 8 – Test it

Fire a web browser and type your domain such as:
https://example.com
Test it with SSLlabs test site:
https://www.ssllabs.com/ssltest/analyze.html?d=example.com

Step 9 – acme.sh commands

List all certificates:
# acme.sh --list
Sample outputs:

Main_Domain            KeyLength  SAN_Domains  Created                       Renew
example.com  "4096"     no           Mon Dec 30 16:57:10 UTC 2019  Fri Feb 28 16:57:10 UTC 2020

Renew a cert for domain named example.com:
# acme.sh --renew -d example.com
Please note that a cron job will try to do renewal a certificate for you too. This is installed by default as follows (no action required on your part). To see job run:
# crontab -l
Sample outputs:

8 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

Upgrade acme.sh client:
# acme.sh --upgrade
Getting help:
# acme.sh --help | more


We want to hear your thoughts about this. Is there anything in particular that you love about it? What can we do to improve our services and experience? Leave a comment below or open a ticket on our helpdesk and we’ll personally review all suggestions and feedback. 

About Servercheap.NET

Since it was founded in 2015, Servercheap has always strived to provide its clients with enterprise-level performance at an unbeatable cost. Servercheap offers a wide range of customizable hybrid and virtual private server hosting services. All Servercheap clients enjoy a 99.9% uptime SLA and 24/7 rapid response support team.
At Servercheap, our core directive has always been to provide our clients with the best services and infrastructure possible, whether you’re hosting a game server, a high-intensity database, a development environment, or anything in-between.
For more information, visit https://www.servercheap.net

Leave a Reply

Your email address will not be published. Required fields are marked *