[CentOS 7/AlmaLinux 8] Let's Encrypt for NGINX

Michail

Introduction

Let's Encrypt allows you to install TLS/SSL certificated in a free and fully automated process.
In this guide, you will learn how to install a certificate from Let’s Encrypt on Centos 7 / AlmaLinux 8 with Nginx running as a web server.

WARNING

CentOS 7 reached the EOL June 30, 2024:

https://blog.centos.org/2023/04/end-dates-are-coming-for-centos-stream-8-and-centos-linux-7/

Because of this, you may encounter some repository issues. We recommend that you reinstall another OS that has not yet reached EOL.

If you are using CentOS 7 and encounter a mirror issue, please check out this guide to resolve the problem.

Preparation

Before enabling the Let's Encrypt certificate, make sure you have NGINX installed on your server. To install it, you can check our guide: How to install Nginx. This guide is suitable for AlmaLinux 8 too.

Step for AlmaLinux 8 only: Import GPG key repository

This step is for AlmaLinux 8 only. Skip this step if you are configuring Nginx on CentOS 7.

Run the following command to install updated GPG keys on AlmaLinux 8:

rpm --import https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux

1. Installing the certbot

Make sure to install EPEL repository if it's not installed yet:

yum install epel-release

After that install the certbot. On CentOS 7 run this command:

yum install certbot-nginx

On AlmaLinux 8 enter the following command:

dnf install certbot python3-certbot-nginx

2. Adjusting nginx configuration

Open the NGINX configuration file:

vi /etc/nginx/nginx.conf

Find the line server_name _; and change the underscore to your domain as showed in the example (change the "yourdomain.ltd" to your actual domain):

server_name yourdomain.ltd www.yourdomain.ltd;

Save the file and exit (pres "Esc", then type :wq and click "Enter").

Now run the following command:

nginx -t

Your changes of the configurations were verified. Now reload the NGINX:

systemctl reload nginx

3.Allowing 80 and 443 ports

Before enabling the certificate, make sure the 80 and 443 ports are opened on your firewall.

To open these ports on iptables, run the following commands:

iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT

iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT

If you using the firewalld, run these commands:

firewall-cmd --add-service=http

firewall-cmd --add-service=https

firewall-cmd --runtime-to-permanent

4. Set Up the Certificate

To issue SSL, run the following command (change the "yourdomain.ltd" to your domain):

certbot --nginx -d yourdomain.ltd -d www.yourdomain.ltd

While enabling a certificate, you will be prompted to enter an email, agree to the Terms of Service (mandatory), and agree or disagree to share your email address with Electronic Frontier Foundation (this is optional).

5. Certificate renewal

Certificate is valid for 90 days. To manually renew certificate run this command:

certbot renew --dry-run

However, it is way more comfortable to configure automatic renewal for your certificate. For that create a crontab:

crontab -e

Enter this line to the crontab:

• */12 * * * root /usr/bin/certbot renew >/dev/null 2>&1

Save changes and exit (pres "Esc", type :wq and click "Enter").

This command will automatically run twice a day and check if the certificates are less than 30 days away from the expiration date. If yes, it will be renewed automatically.

6. Check SSL Certificate

To check, if the SSL was installed successfully, run this command:

ls /etc/letsencrypt/live/yourdomain.ltd/

If the certificate was installed successfully, you will see this output:

README cert.pem chain.pem fullchain.pem privkey.pem

Also, you can just open your website, click on the padlock icon in the address and you should see information about your domain certificate.