In this guide, we will explain how to Secure Nginx with Let's Encrypt on CentOS 7.

Deploying your cloud server
If you have not already registered with Cloudwafer, you should begin by getting signed up. Take a moment to create an account after which you can easily deploy your own cloud servers.

Once you have signed up, log into your Cloudwafer Client Area and deploy your Cloudwafer cloud server.

Prerequisites

  • For the sake of this tutorial, we are going to be using a registered domain with which we are going to use the certificate. If you do not already have a registered domain name, you can register one with Cloudwafer
  • Let's Encrypt validates that you own the domain it is issuing a certificate for. Hence, a DNS A Record that points your domain to the public IP address of your server is required. This guide will be using labs.cloudwaferlabs.com.ng and www.labs.cloudwaferlabs.com.ng as the domain names, hence both DNS records are required.

Step 1: Install Nginx
If you don't have the Nginx web server installed, issue the commands below to install it on your CentOS 7 Server. First, enable access to the EPEL repository which provides additional packages for CentOS on your server by typing:

sudo yum install epel-release -y

Next, issue the command below to install Nginx

sudo yum install nginx

Nginx-LetsEncrypt-CentOs-1

Nginx-LetsEncrypt-CentOs-2

Upon completion, start and enable Nginx by issuing the command below:

sudo systemctl start nginx
sudo systemctl enable nginx

Nginx-LetsEncrypt-CentOs-3

You can check the status of Nginx by issuing the command below:

sudo systemctl status nginx

Nginx-LetsEncrypt-CentOs-4

Step 2: Install the Certbot Let's Encrypt Client
Next, we are going to install certbot-nginx which is the Let's Encrypt client software required for Nginx on our CentOS 7 server.

Once the repository has been enabled, you can obtain the certbot-nginx package by typing:

sudo yum install certbot-nginx -y

Nginx-LetsEncrypt-CentOs-5.png

Step 3: Obtaining a Certificate
The command below to obtain a certificate will run the certbot package with the --nginx plugin, using -d to specify the domain names that we want the certificate to be valid for.

To obtain a certificate, issue the command below replacing labs.cloudwaferlabs.com.ng with the name of your domain:

sudo certbot --nginx -d labs.cloudwaferlabs.com.ng -d www.labs.cloudwaferlabs.com.ng

For first time users of the certbot package, you will be prompted to enter an Email ID and agree to terms and conditions.

Nginx-LetsEncrypt-CentOs-6

certbot will ask on how you want to to configure the HTTPS settings for your domain:

Nginx-LetsEncrypt-CentOs-7

Step 4: Setting Up Auto Renewal
Let's Encrypt's certificates are only valid for ninety days, hence we are going to set up command to check for expiring certificates and renew them automatically using cron. Our cron job will check at 4.30 AM everyday all certificates installed on the system and update any that are set to expire in less than thirty days.

sudo crontab -e

30 4 * * * /usr/bin/certbot renew --quiet