Install Let’s Encrypt SSL on Linux with auto renew

Let’s Encrypt is free SSL digital certificate provider, trusted by many individuals and organizations, and especially without limitation.

If you are using CPanel then Let’s Encrypt is installed already, In this article, I will guide you step by step to install Let’s Encrypt certificae on CentOS

1. Install Let’s Encrypt

First we need to install snap that is a package manager like yum or apt-get

yum install snapd
systemctl enable --now snapd.socket
ln -s /var/lib/snapd/snap /snap

If you have installed certbot before by yum then make sure you have removed it

yum remove certbot

Using snap to install certbot

snap install core
snap refresh core
snap install --classic certbot
ln -s /snap/bin/certbot /usr/bin/certbot

Stop nginx

service nginx stop

Now install certbot for a domain

certbot certonly --standalone

* If you want to install cert for all your domain then run this command to get a certificate and have Certbot edit your Nginx configuration automatically to serve it, turning on HTTPS access in a single step certbot --nginx
Wait a while for Let’s Encrypt to install the necessary tools. Then enter your email address and press the Enter key.

Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)(Enter 'c' to cancel): duongva91@gmail.com

Accept the rule by typing a and then press Enter.

Please read the Tenn of Service at https://letsencrypt.org/documents/LE SA v1.1.1 August 1 2016.pdf. You must agree in order to register
with the ACME server at https://acme-v01.api.letsencrypt.org/directory
(A)Agree/(C)ancel: a
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel): freelancerviet.net www.freelancerviet.net

Next you enter the domain name that will use the SSL certificate, and then press Enter. This step you only enter the non-www and www versions of a domain or subdomain . When you want to add another domain / subdomain, see the instructions below.

If there is no problem you will see the message below:

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/freelancerviet.net/fullchain.pem. Your cert will
expire on 2016-08-23. To obtain a new version of the certificate in
the future, simply run Certbot again.
- If you lose your account credentials, you can recover through
e-mails sent to duongva91@gmail.com.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

Note the information I highlighted in red:

/etc/letsencrypt/live/freelancerviet.net/fullchain.pem : the directory containing the certificate files
2016-08-23 : certificate expiration date (90 days from the date of installation)

2. Configure Nginx

After we have the certificate files, we will edit the Nginx configuration file. For example if my domain name is freelancerviet.net, the configuration file will have the path is/etc/nginx/conf.d/freelancerviet.net.conf

Create DH parameters file 2048 bit (created only once on VPS)

mkdir /etc/nginx/ssl/
openssl dhparam 2048 -out /etc/nginx/ssl/dhparam.pem

Modify /etc/nginx/conf.d/freelancerviet.net.conf by vi command

vi /etc/nginx/conf.d/freelancerviet.net.conf

Modify like that

server {
listen 80;
server_name freelancerviet.net www.freelancerviet.net;

rewrite ^(.*) https://freelancerviet.net$1 permanent;
}
server {

listen 443 ssl;
server_name freelancerviet.net;
root /home/freelancerviet.net;
index index.php index.html index.htm;
# SSL

ssl_certificate /etc/letsencrypt/live/freelancerviet.net/fullchain.pem;

ssl_certificate_key /etc/letsencrypt/live/freelancerviet.net/privkey.pem;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_prefer_server_ciphers on;

ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;

# Improve HTTPS performance with session resumption

ssl_session_cache shared:SSL:50m;

ssl_session_timeout 1d;

# DH parameters

ssl_dhparam /etc/nginx/ssl/dhparam.pem;
# Enable HSTS
add_header Strict-Transport-Security "max-age=31536000" always;
location / {
try_files $uri $uri/ /index.php?$args;
}
}

Notice red line is changes:
server {
listen 80;
server_name freelancerviet.net;
rewrite ^(.*) https://freelancerviet.net$1 permanent;
}

forward all http to https
listen 443: Change listen port to 443
# SSL
ssl_certificate /etc/letsencrypt/live/freelancerviet.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/freelancerviet.net/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
# Improve HTTPS performance with session resumption
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
# DH parameters
ssl_dhparam /etc/nginx/ssl/dhparam.pem;

Nessary params for SSL

Press ESC then :wq to save

Now restart nginx

service nginx start

Now access the domain to enjoy the results.

3. Let’s Encrypt automatically renew

Open the crontab configuration file:

EDITOR=nano crontab -e

Copy and paste the code below into the terminal window:

30 2 * * * /usr/bin/certbot renew --pre-hook "service nginx stop" --post-hook "service nginx start" >> /var/log/le-renew.log

Press Ctrl + O, Enter to save and Ctrl + X to exit. You receive the following message as successful

crontab: installing new crontab

The above crontab will automatically run the Let’s Encrypt renewal command at 2:30 every day and check if it has expired and proceed to renew. Nginx will stop before renewal, then it will start again immediately. As such, it has almost no effect on the website.

That’s it, you can safely use Let’s Encrypt already.

Good luck!

Leave a Reply

Your email address will not be published. Required fields are marked *