Deploying Let’s Encrypt free SSL certificate for Nginx Web Server on Centos Linux

As I am running Nginx web server on Centos Linux, here is the steps to deploy Let’s Encrypt free SSL certificate.

Make sure that TLS SNI support is enabled on Nginx web server.

# nginx -V
built by gcc 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled

Now, download the Certbot. Certbot is an easy-to-use automatic client that fetches and deploys SSL/TLS certificates for a web server.


wget https://dl.eff.org/certbot-auto --no-check-certificate
chmod +x ./certbot-auto
./certbot-auto -n

I use certbot-auto -n just to install certbot-auto package in non-interactive mode.

Next, run certbot-auto to obtain the certs

certbot-auto certonly --email [email protected] --agree-tos --webroot -w /var/www/hanneng.net -d www.hanneng.net

You’ll get messages as below:

IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/www.hanneng.net/fullchain.pem. Your cert will
expire on 2017-04-01. To obtain a new or tweaked version of this
certificate in the future, simply run certbot-auto again. To
non-interactively renew *all* of your certificates, run
“certbot-auto renew”
– If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

Now, edit the Ngnix configuration file.

vi /etc/nginx/nginx.conf

Next, add these lines into

server
{
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/www.hanneng.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.hanneng.net/privkey.pem;
ssl_ciphers “EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5”;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
}

Last, restart Ngnix

/etc/init.d/nginx reload

Posted in Linux Tagged with:

Leave a Reply