Configure Nginx with Let’s Encrypt on CentOS 8

3 min read

Step 1 – Install the required software

Install the git, wget, curl and bc packages with the yum command:
sudo yum install git bc wget curl socat

Step 2 – Install Let’s Encrypt client

Clone the repo:
cd /tmp/
git clone

Install client on to your system, run:
sudo -i ## be root user ##
./ --install

After install, you must close current terminal and reopen again to make the alias take effect. Or simply type the following source command:
sudo source ~/.bashrc
Verify installation by printing version number: --version

Step 3 – Basic nginx config for http server

I am going to create a new config for domain named (feel free to replace with your actual domain name) as follows:
# vi /etc/nginx/conf.d/
Append the following code:

 http port 80
server {
listen 80;
access_log /var/log/nginx/http_example.com_access.log;
error_log /var/log/nginx/http_example.com_error.log;
root /usr/share/nginx/html;

Save and close the file. Test nginx set up and reload the nginx server as follows:
# nginx -t
# systemctl restart nginx.service

Step 4 – Create dhparams.pem file

Run openssl command but create a new directory using the mkdir command:
# mkdir -pv /etc/nginx/ssl/
# cd /etc/nginx/ssl/
# openssl dhparam -out dhparams.pem -dsaparam 4096

See “how to speed up OpenSSL/GnuPG Entropy For Random Number Generation On Linux” for more info.

Step 5 – Obtain a certificate for domain

Issue a certificate for your domain:
sudo --issue -d -k 2048 --nginx
## for two domains ##
sudo --issue -d -d -k 2048 --nginx
## get certs for three domains ##
sudo --issue -d -d -k 2048 --nginx
## let us get cert for domain only ##
sudo --issue -d -k 4096 --nginx

Step 6 – Configure Nginx

You just successfully requested an SSL Certificate from Let’s Encrypt for your CentOS 8 Linux server. It is time to configure it. Update for ssl config as follows:
$ sudo vi /etc/nginx/conf.d/
Append the following config:

 http port 80: START config
server {
listen 80;
listen [::]:80;
access_log /var/log/nginx/http_example.com_access.log;
error_log /var/log/nginx/http_example.com_error.log;
root /usr/share/nginx/html;
# redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
return 301 https://$host$request_uri;
https port 443: START config
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
root /usr/share/nginx/html;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate ssl_certificate /etc/nginx/ssl/; ssl_certificate_key /etc/nginx/ssl/; ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; # about 40000 sessions ssl_session_tickets off; ssl_dhparam /etc/nginx/ssl/; # # Supports Firefox 27, Android 4.4.2, Chrome 31, Edge, IE 11 on Windows 7, Java 8u31, OpenSSL 1.0.1, Opera 20, and Safari 9 and above # ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; # HSTS (ngx_http_headers_module is required) (63072000 seconds) add_header Strict-Transport-Security "max-age=63072000" always; # OCSP stapling ssl_stapling on; ssl_stapling_verify on; # replace with the IP address of your resolver resolver; ## add other config below such as fastcgi or php and so on ##

Save and close the file in vi/vim text editor.

Step 7 – Install certificate

Install the issued cert to nginx server:
# --installcert -d \
--key-file /etc/nginx/ssl/ \
--fullchain-file /etc/nginx/ssl/ \
--reloadcmd 'systemctl reload nginx.service'

Make sure port os open with the ss command or netstat command:
# ss -tulpn

Step 7 – Firewall configuration

You need to open port 443 (HTTPS) on your server so that clients can connect it using Firewalld. Update the rules as follows:
$ sudo firewall-cmd --add-service=https
$ sudo firewall-cmd --runtime-to-permanent

Step 8 – Test it

Fire a web browser and type your domain such as:
Test it with SSLlabs test site:

Step 9 – commands

List all certificates:
# --list
Sample outputs:

Main_Domain            KeyLength  SAN_Domains  Created                       Renew  "4096"     no           Mon Dec 30 16:57:10 UTC 2019  Fri Feb 28 16:57:10 UTC 2020

Renew a cert for domain named
# --renew -d
Please note that a cron job will try to do renewal a certificate for you too. This is installed by default as follows (no action required on your part). To see job run:
# crontab -l
Sample outputs:

8 0 * * * "/root/"/ --cron --home "/root/" > /dev/null

Upgrade client:
# --upgrade
Getting help:
# --help | more

We want to hear your thoughts about this. Is there anything in particular that you love about it? What can we do to improve our services and experience? Leave a comment below or open a ticket on our helpdesk and we’ll personally review all suggestions and feedback. 

About Servercheap.NET

Since it was founded in 2015, Servercheap has always strived to provide its clients with enterprise-level performance at an unbeatable cost. Servercheap offers a wide range of customizable hybrid and virtual private server hosting services. All Servercheap clients enjoy a 99.9% uptime SLA and 24/7 rapid response support team.
At Servercheap, our core directive has always been to provide our clients with the best services and infrastructure possible, whether you’re hosting a game server, a high-intensity database, a development environment, or anything in-between.
For more information, visit

Leave a Reply

Your email address will not be published. Required fields are marked *