Setup Https ssl with letsencrypt in centos 7 server.

2 months ago

Letsencrypt is a free https ssl software. However setting it up is a bit of challenge if you are not a pro with linux server. In this post I will guilde you how to setup with some tips and fix some common error along with way.

Always use none www and www version together if not it will coz err not secure. red collor one

This is not work.

https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-on-centos-7

thanks for this: https://letsencrypt.org/

Update. This one work.

https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-centos-7

Once the repository has been enabled, you can obtain the certbot-nginx package by typing:

sudo yum install certbot-nginx

Certbot can automatically configure SSL for Nginx, but it needs to be able to find the correct serverblock in your config. It does this by looking for a server_name directive that matches the domain you're requesting a certificate for. If you're staring out with a fresh Nginx install, you can update the default config file:

sudo nano /etc/nginx/nginx.conf

Find the existing server_name line:

Replace the _ underscore with your domain name:

/etc/nginx/nginx.conf

server_name example.com www.example.com;

 

server {
	listen       80 default_server;
        listen       [::]:80 default_server;
        server_name  xxx.com www.xxx.com;
    

Save the file and quit your editor. Verify the syntax of your configuration edits with:

sudo nginx -t
//result
nginx: [warn] conflicting server name "xxx.com" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "www.xxx.com" on 0.0.0.0:80, ignored
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

If that runs with no errors, reload Nginx to load the new configuration:

sudo systemctl reload nginx

Certbot will now be able to find the correct server block and update it. Now we'll update our firewall to allow HTTPS traffic.

Step 3 — Updating the Firewall

If you have a firewall enabled, make sure port 80 and 443 are open to incoming traffic. If you are not running a firewall, you can skip ahead.

If you have a firewalld firewall running, you can open these ports by typing: 

sudo firewall-cmd --add-service=http
sudo firewall-cmd --add-service=https
sudo firewall-cmd --runtime-to-permanent

If have an iptables firewall running, the commands you need to run are highly dependent on your current rule set. For a basic rule set, you can add HTTP and HTTPS access by typing:

sudo iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
sudo iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT

We're now ready to run Certbot and fetch our certificates.

Step 4 — Obtaining a Certificate

Certbot provides a variety of ways to obtain SSL certificates, through various plugins. The Nginx plugin will take care of reconfiguring Nginx and reloading the config whenever necessary:

sudo certbot --nginx -d example.com -d www.example.com
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
// Choose 2
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/datesend.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/datesend.com/privkey.pem
   Your cert will expire on 2017-12-27. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

This runs certbot with the --nginx plugin, using -d to specify the names we'd like the certificate to be valid for.

If this is your first time running certbot, you will be prompted to enter an email address and agree to the terms of service. After doing so, certbot will communicate with the Let's Encrypt server, then run a challenge to verify that you control the domain you're requesting a certificate for.

If that's successful, certbot will ask how you'd like to configure your HTTPS settings:

Your certificates are downloaded, installed, and loaded. Try reloading your website using https:// and notice your browser's security indicator. It should represent that the site is properly secured, usually with a green lock icon.

Step 5 — Updating Diffie-Hellman Parameters

If you test your server using the SSL Labs Server Test now, it will only get a B grade due to weak Diffie-Hellman parameters. This effects the security of the initial key exchange between our server and its users. We can fix this by creating a new dhparam.pem file and adding it to our server block.

Create the file using openssl:

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

This will take a while, up to a few minutes. When it's done, open up the Nginx config file that contains your server block. In our example, it's the default config file:

sudo nano /etc/nginx/nginx.conf

Past the following line anywhere within the server block:

. . .
ssl_dhparam /etc/ssl/certs/dhparam.pem;
server {
	listen       80 default_server;
        listen       [::]:80 default_server;
        server_name  xxx.com www.xxx.com;
       #i add this line for ssl
       ssl_dhparam /etc/ssl/certs/dhparam.pem;

Save the file and quit your editor, then verify the configuration:

sudo nginx -t

If you have no errors, reload Nginx:

sudo systemctl reload nginx

Your site is now more secure, and should receive an A rating.

Step 6 — Setting Up Auto Renewal

Let's Encrypt's certificates are only valid for ninety days. This is to encourage users to automate their certificate renewal process. We'll need to set up a regularly run command to check for expiring certificates and renew them automatically.

To run the renewal check daily, we will use cron, a standard system service for running periodic jobs. We tell cron what to do by opening and editing a file called a crontab.

sudo crontab -e

Your text editor will open the default crontab which is an empty text file at this point. Paste in the following line, then save and close it:

15 3 * * * /usr/bin/certbot renew --quiet

The 15 3 * * * part of this line means "run the following command at 3:15 am, every day". You may choose any time.

The renew command for Certbot will check all certificates installed on the system and update any that are set to expire in less than thirty days. --quiet tells Certbot not to output information or wait for user input.

cron will now run this command daily. All installed certificates will be automatically renewed and reloaded when they have thirty days or less before they expire.