Let's Encrypt is a non-profit certificate authority run by Internet Security Research Group (ISRG) that provides X.509 certificates for Transport Layer Security (TLS) encryption at no charge. It launched on April 12, 2016.
Let's Encrypt certificates are valid for 90 days, during which renewal can take place at any time. The offer is accompanied by an automated process designed to overcome manual creation, validation, signing, installation, and renewal of certificates for secure websites. The project claims its goal is to make encrypted connections to World Wide Web servers ubiquitous.[6] By eliminating payment, web server configuration, validation email management and certificate renewal tasks, it is meant to significantly lower the complexity of setting up and maintaining TLS encryption.[1]
Prerequisite
- Linux server with nginx installed (Port 80 and 443 should open for public)
- There should be a DNS entry for your site.
- "git" "wget" packages should install in your server.
In this example I am using CentOS 8
Step 01: Install Prerequisite
Install git and wget
yum install git wget
Step 02: Install NGINX
Download the nginx RPM from nginx official site base on your operation system and install.
NGINX Official Site: https://nginx.org/packages/
Install the nginx RPM
rpm -ivh nginx-1.18.0-2.el8.ngx.x86_64.rpm
Enable the nginx service and start
systemctl enable nginxsystemctl start nginx
Now try to access your site using host name.
Step 03: Install letsencrypt
Clone the "letsencrypt" from GitHub
git clone https://github.com/letsencrypt/letsencrypt
Go inside the letsencrypt folder and execute this command.
./letsencrypt-auto certonly --webroot --webroot-path /usr/share/nginx/html/ --email <your-email-address> -d <your-site-name>
This will take some time to do the installation.
Finally you will get a output like this.
Step 04: Configure NGINX for HTTPS
Got to nginx configuration folder "/etc/nginx/conf.d"
Create a new .conf file and add below content.
server {listen 443 ssl;server_name <Your-Site-Name>;ssl_certificate /etc/letsencrypt/live/<Your-Site-Name>/fullchain.pem;ssl_certificate_key /etc/letsencrypt/live/<Your-Site-Name>/privkey.pem;ssl_session_cache shared:SSL:10m;ssl_session_timeout 5m;ssl_protocols TLSv1.2;ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!eNULL:!MD5:!DSS;ssl_prefer_server_ciphers on;# HSTSadd_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;access_log /var/log/nginx/<Your-Site-Name>-access main;error_log /var/log/nginx/<Your-Site-Name>-error warn;location / {root /usr/share/nginx/html;}location /.well-known/acme-challenge/ {root /usr/share/nginx/html;}}server {listen 80;server_name <Your-Site-Name>;rewrite ^ https://<Your-Site-Name>$request_uri? permanent;}
Include new .conf file to nginx.conf
Now check the nginx config test by typing below command.
nginx -t
Now restart the nginx service
Now browse your site with https and check whether you are getting "letsencrypt" certificate.
Check your site with sslshopper and ssllabs to verify it further.
Sslshopper: https://www.sslshopper.com/ssl-checker.html
Ssllabs : https://www.ssllabs.com/ssltest/
Since letsencrypt certificate only valid for 3 month we have to put schedule job to renew. You can add these two lines to crontab.
00 00 * * * /root/letsencrypt/certbot-auto renew
00 01 * * * /bin/systemctl reload nginx
No comments:
Post a Comment