Tiếng Việt
Let’s Encrypt is free SSL digital certificate provider, trusted by many individuals and organizations, and especially without limitation.
If you are using CPanel then Let’s Encrypt is installed already, In this article, I will guide you step by step to install Let’s Encrypt certificae on CentOS
1. Install Let’s Encrypt
First we need to install snap that is a package manager like yum or apt-get
yum install snapd systemctl enable --now snapd.socket ln -s /var/lib/snapd/snap /snap
If you have installed certbot before by yum then make sure you have removed it
yum remove certbot
Using snap to install certbot
Note that: if install core error then wait few minutes then try again
snap install core snap refresh core snap install --classic certbot ln -s /snap/bin/certbot /usr/bin/certbot
Stop nginx
service nginx stop
Now install certbot for a domain
certbot certonly --standalone
* If you want to install cert for all your domain then run this command to get a certificate and have Certbot edit your Nginx configuration automatically to serve it, turning on HTTPS access in a single step certbot --nginx
Wait a while for Let’s Encrypt to install the necessary tools. Then enter your email address and press the Enter key.
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)(Enter 'c' to cancel): duongva91@gmail.com
Accept the rule by typing a and then press Enter.
Please read the Tenn of Service at https://letsencrypt.org/documents/LE SA v1.1.1 August 1 2016.pdf. You must agree in order to register
with the ACME server at https://acme-v01.api.letsencrypt.org/directory
(A)Agree/(C)ancel: a
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel): freelancerviet.net www.freelancerviet.net
Next you enter the domain name that will use the SSL certificate, and then press Enter. This step you only enter the non-www and www versions of a domain or subdomain . When you want to add another domain / subdomain, see the instructions below.
If there is no problem you will see the message below:
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/freelancerviet.net/fullchain.pem. Your cert will expire on 2016-08-23. To obtain a new version of the certificate in the future, simply run Certbot again. - If you lose your account credentials, you can recover through e-mails sent to duongva91@gmail.com. - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Note the information I highlighted in red:
/etc/letsencrypt/live/freelancerviet.net/fullchain.pem : the directory containing the certificate files
2016-08-23 : certificate expiration date (90 days from the date of installation)
2. Configure Nginx
After we have the certificate files, we will edit the Nginx configuration file. For example if my domain name is freelancerviet.net, the configuration file will have the path is/etc/nginx/conf.d/freelancerviet.net.conf
Create DH parameters file 2048 bit (created only once on VPS)
mkdir /etc/nginx/ssl/ openssl dhparam 2048 -out /etc/nginx/ssl/dhparam.pem
Modify /etc/nginx/conf.d/freelancerviet.net.conf by vi command
vi /etc/nginx/conf.d/freelancerviet.net.conf
Modify like that
server {
listen 80;
server_name freelancerviet.net www.freelancerviet.net;
rewrite ^(.*) https://freelancerviet.net$1 permanent;
}
server {
listen 443 ssl;
server_name freelancerviet.net;
root /home/freelancerviet.net;
index index.php index.html index.htm;
# SSL
ssl_certificate /etc/letsencrypt/live/freelancerviet.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/freelancerviet.net/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
# Improve HTTPS performance with session resumption
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
# DH parameters
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
# Enable HSTS
add_header Strict-Transport-Security "max-age=31536000" always;
location / {
try_files $uri $uri/ /index.php?$args;
}
}
Notice red line is changes:
– server {
listen 80;
server_name freelancerviet.net;
rewrite ^(.*) https://freelancerviet.net$1 permanent;
}
forward all http to https
– listen 443: Change listen port to 443
– # SSL
ssl_certificate /etc/letsencrypt/live/freelancerviet.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/freelancerviet.net/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
# Improve HTTPS performance with session resumption
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
# DH parameters
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
Nessary params for SSL
Press ESC then :wq to save
Now restart nginx
service nginx start
Now access the domain to enjoy the results.
3. Let’s Encrypt automatically renew
Open the crontab configuration file:
EDITOR=nano crontab -e
Copy and paste the code below into the terminal window:
30 2 * * * /usr/bin/certbot renew --pre-hook "service nginx stop" --post-hook "service nginx start" >> /var/log/le-renew.log
Press Ctrl + O, Enter to save and Ctrl + X to exit. You receive the following message as successful
crontab: installing new crontab
The above crontab will automatically run the Let’s Encrypt renewal command at 2:30 every day and check if it has expired and proceed to renew. Nginx will stop before renewal, then it will start again immediately. As such, it has almost no effect on the website.
That’s it, you can safely use Let’s Encrypt already.
Good luck!