LetsEncrypt With Nginx in Centos 6.5 or 7

What is Let’s Encrypt?
Improving your website security through encryption, even on the most basic servers, can increase your visitors’ trust in your site and your ability to run it. Setting up encryption on your web host has generally been complicated and expensive, which often deters administrators whose web applications might not depend on user input. Let’s Encrypt aims to change this by making implementing encryption on any website easier. They are an open and free project that allows obtaining and installing of certificates through simple, automated, commands.

Let’s Encrypt is a new Certificate Authority capable of issuing certificates cross-signed by IdentTrust, which allows their end certificates to be accepted by all major browsers.  This guide outlines the steps for installing their certbot client version 0. 11. 1 and how to use it to manage certificates on your CentOS 7 server running nginx.

In this Blog, I will demonstrate the procedure of using the certbot-auto Let’s Encrypt client to obtain a free SSL certificate and use it with Nginx on Ubuntu 14. 04. This tutorial will also explain to you how to automatically renew your SSL certificate. If you’re running a different web server, simply follow your web server’s documentation to learn how to use the certificate with your setup.

Prerequisite
Before following this tutorial, you’ll need a few things.

You must own and control over the domain you want to procure SSL certificate and its should br FQDN(Fully Qualified Domain Name).
A-Record of your DNS points your domain to the public IP address of your server. This is required because of how Let’s Encrypt validates that you own the domain it is issuing a certificate for. For example, if you want to obtain a certificate for com, that domain must resolve to your server for the validation process to work. Our setup will use example. com and www. domain. com as the domain names, so   DNS records are required

Lets Start installation …

Step 1. First, you need to enable EPEL repository on your system and start by ensuring your system is up-to-date.
Install EPEL repository and some more dependencies on your server by typing:
yum -y install epel-release && sudo yum update -y && yum -y install ngnix openssl
yum – y install epel – release && sudo yum update – y && yum – y install ngnix openssl

Now lets install the certbot package.
sudo yum install certbot
sudo yum install certbot

Some time its not able to download from yum then use below procedure.
Download the CertBot software client from EFF’s official software website or you can use 2nd method from github to /usr/local/sbin directory:

Method: 1
Blackhats-Pro: ~ root# cd /usr/local/sbin
Blackhats-Pro: ~ root# sudo wget
Blackhats-Pro: ~ root# $ cd /usr/local/sbin
Blackhats-Pro: ~ root# sudo wget

Method: 2
Blackhats-Pro: ~ root# git clone
Blackhats-Pro: ~ root# cd letsencrypt
Blackhats-Pro: ~ root#. /letsencrypt-auto

Method : 1
Blackhats – Pro: ~ root # cd /usr/local/sbin
Blackhats – Pro: ~ root # sudo wget
Blackhats – Pro: ~ root # $ cd /usr/local/sbin
Blackhats – Pro: ~ root # sudo wget

Method : 2
Blackhats – Pro: ~ root # git clone
Blackhats – Pro: ~ root # cd letsencrypt
Blackhats – Pro: ~ root #. /letsencrypt-auto

Now  Lets create Certificates…
There are a number of ways to obtain a SSL certificate from Let’s Encrypt through various plugins. You need to obtain an authenticator plugin to acquire a SSL certificate. Be sure that, these plugin will only obtain the certificate and you need to install the certificate manually. Go to the path where you have download certbot.
Blackhats-Pro: ~ root#. /certbot-auto certonly –webroot -w /var/www/domain. com -d domain. com –d www. domain. com
or
Blackhats-Pro: ~ root#. /letsencrypt-auto certonly –webroot -w /var/www/domain. com -d domain. com –d www. domain. com
Blackhats – Pro: ~ root #. /certbot-auto certonly –webroot -w /var/www/domain. com -d domain. com –d www. domain. com
Blackhats – Pro: ~ root #. /letsencrypt-auto certonly –webroot -w /var/www/domain. com -d domain. com –d www. domain. com

Domain names must be specified with the  -d  option. If you want a single cert to work with multiple domain names (e. g.   domain. com  and  www. domain. com), make sure to include all of them, starting with the most high level domain (e. g.   domain. com).

Note:  The certbot-auto software requires superuser privileges, so you will be required to enter your password if you haven’t used sudo recently.

When  certbot-auto or letsencrypt-auto   initializes you will be prompted for some information. The exact prompts may vary depending on if you’ve used the  certbot-auto or letsencrypt-auto  client before. Provide the necessary information and select agree at the end.
Output will be something like below…

IMPORTANT NOTES:
– If you lose your account credentials, you can recover through
e-mails sent to [email protected] com
– Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/domain. com/fullchain. pem. Your
cert will expire on 2016-03-15. To obtain a new version of the
certificate in the future, simply run Let’s Encrypt again.
– Your account credentials have been saved in your Let’s Encrypt
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Let’s
Encrypt so making regular backups of this folder is ideal.
– If like Let’s Encrypt, please consider supporting our work by:
Donating to ISRG / Let’s Encrypt:
Donating to EFF:

IMPORTANT NOTES:
– If you lose your account credentials, you can recover through
e – mails sent to xxx @ xx. com
– Congratulations! Your certificate and chain have been saved at
/ etc / letsencrypt / live / domain. com / fullchain. pem. Your
cert will expire on 2016 – 03 – 15. To obtain a new version of the
certificate in the future, simply run Let ‘ s Encrypt again.
– Your account credentials have been saved in your Let ‘ s Encrypt
configuration directory at / etc / letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Let ‘ s
Encrypt so making regular backups of this folder is ideal.
– If like Let ‘ s Encrypt, please consider supporting our work by:
Donating to ISRG / Let ‘ s Encrypt:
Donating to EFF:
If you find python error then run below command and run certbot command again..
Blackhats-Pro: ~ root# unset PYTHON_INSTALL_LAYOUT
Blackhats – Pro: ~ root # unset PYTHON_INSTALL_LAYOUT
Note the path and expiry date from the output.
Firewall Note:  If you receive an error like Failed to connect to host for DVSNI challenge, your server’s firewall may need to be configured to allow TCP traffic on port 80 and 443.
Blackhats-Pro: ~ root# sudo firewall-cmd –add-service=
Blackhats-Pro: ~ root# sudo firewall-cmd –add-service=
Blackhats-Pro: ~ root# sudo firewall-cmd –runtime-to-permanent
Blackhats – Pro: ~ root # sudo firewall-cmd –add-service=
Blackhats – Pro: ~ root # sudo firewall-cmd –add-service=
Blackhats – Pro: ~ root # sudo firewall-cmd –runtime-to-permanent
Or if you have iptables rules.
Blackhats-Pro: ~ root# sudo iptables -I INPUT -p tcp -m tcp –dport 80 -j ACCEPT
Blackhats-Pro: ~ root# sudo iptables -I INPUT -p tcp -m tcp –dport 443 -j ACCEPT
Blackhats – Pro: ~ root # sudo iptables -I INPUT -p tcp -m tcp –dport 80 -j ACCEPT
Blackhats – Pro: ~ root # sudo iptables -I INPUT -p tcp -m tcp –dport 443 -j ACCEPT
Certificate Files:   After obtaining the cert, you will have the following PEM-encoded files:
pem: Your domain’s certificate
pem: The Let’s Encrypt chain certificate
pem: cert. pem  and  chain. pem combined
pem: Your certificate’s private key
You can check that the files exist by running this command (substituting in your domain name):
Blackhats-Pro: ~ root# sudo ls -l /etc/letsencrypt/live/your_domain_name
Blackhats – Pro: ~ root # sudo ls -l /etc/letsencrypt/live/your_domain_name
The output should be the four previously mentioned certificate files. In a moment, you will configure your web server to use  fullchain. pem  as the certificate file, and  privkey. pem  as the certificate key file.
Generate Strong Diffie-Hellman Group
To further increase security, generate a strong Diffie-Hellman group by using the command:
Blackhats-Pro: ~ root# sudo openssl dhparam -out /etc/ssl/certs/dhparam. pem 2048
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time so please be patient..
Lets Configure TLS/SSL on Web Server (Nginx)
Now you must to configure your Nginx web server to use it. Edit the Nginx configuration that contains your server block:
Blackhats-Pro: ~ root# sudo nano /etc/nginx/sites-available/domain. conf
Blackhats – Pro: ~ root # sudo nano /etc/nginx/sites-available/domain. conf
Find the server block.   Comment out  or  delete  the lines that configure this server block to listen on port 80. In the default configuration, these two lines should be deleted:

Nginx configuration deletions
listen 80 default_server;
listen [:: ]: 80 default_server ipv6only=on;
listen 80 default_server;
listen [:: ]: 80 default_server ipv6only = on;
We are going to configure this server block to listen on port 443 with SSL enabled instead. Within your server { block, add the following lines but replace all of the instances of domain. com with your own domain: we ll understand it in 3parts. so it will be easy to digest…
Nginx configuration additions — 1 of 3
listen 443 ssl;
server_name domain. com www. domain. com;
ssl_certificate /etc/letsencrypt/live/domain. com/fullchain. pem;
ssl_certificate_key /etc/letsencrypt/live/domain. com/privkey. pem;
listen 443 ssl;
server_name domain. com www. domain. com;
ssl_certificate / etc / letsencrypt / live / domain. com / fullchain. pem;
ssl_certificate_key / etc / letsencrypt / live / domain. com / privkey. pem;
This enables your server to use SSL, and tells it to use the Let’s Encrypt SSL certificate that we obtained earlier.
To allow only the most secure SSL protocols and ciphers, and use the strong Diffie-Hellman group we generated, add the following lines to the same server block:
Nginx configuration additions — 2 of 3
ssl_certificate /etc/letsencrypt/live/domain. com/fullchain. pem;
ssl_certificate_key /etc/letsencrypt/live/domain. com/privkey. pem;
ssl_protocols TLSv1 TLSv1. 1 TLSv1. 2;
ssl_dhparam /etc/ssl/certs/dhparam. pem;
ssl_prefer_server_ciphers on;
ssl_ciphers ‘EECDH+AESGCM: EDH+AESGCM: AES256+EECDH: AES256+EDH’;
ssl_session_timeout 1d;
ssl_session_cache shared: SSL: 50m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;
ssl_certificate / etc / letsencrypt / live / domain. com / fullchain. pem;
ssl_certificate_key / etc / letsencrypt / live / domain. com / privkey. pem;
ssl _ protocols   TLSv1 TLSv1. 1 TLSv1. 2;
ssl_dhparam / etc / ssl / certs / dhparam. pem;
ssl_prefer_server_ciphers on;
ssl _ ciphers ‘EECDH+AESGCM: EDH+AESGCM: AES256+EECDH: AES256+EDH’;
ssl_session _ timeout 1d;
ssl_session _ cache       shared: SSL: 50m;
ssl _ stapling    on;
ssl_stapling _ verify     on;
add_header Strict – Transport – Security max – age = 15768000;

Lastly, outside of the original server block (that is listening on HTTPS, port 443), add this server block to redirect HTTP (port 80) to HTTPS.
Nginx configuration additions — 3 of 3
An error has occurred. Please try again later.
Save and exit.
Test the configuration file for syntax errors by typing:
Blackhats-Pro: ~ root# sudo nginx -t
Blackhats – Pro: ~ root # sudo nginx -t

Once you have verified that there are no syntax errors, put the changes into effect by restarting Nginx:
Blackhats-Pro: ~ root# sudo service nginx restart
Blackhats – Pro: ~ root # sudo service nginx restart
The Let’s Encrypt TLS/SSL certificate is now in place. At this point, you should test that the TLS/SSL certificate works by visiting your domain via HTTPS in a web browser.
You can use the Qualys SSL Labs Report to see how your server configuration scores:
In a web browser: Test the SSL setup should report an  A+  rating.

Renewing Certificates
The great thing about this process is that it is easy to schedule. Once you’ve gotten everything working, you can simply run the command to generate certificates when they are close to expiring, and it will generate new ones for you and symlink them into the same location. Once the new certificates have been generated, you need restart NGINX, and you’re done!

You can also set Up Auto Renewal

Let’s Encrypt certificates are valid for 90 days, but it’s recommended that you renew the certificates every 60 days to allow a margin of error. At the time of this writing, automatic renewal is still not available as a feature of the client itself, but you can manually renew your certificates by running the certbot-auto client with the renew option.
To trigger the renewal process for all installed domains, run this command:
Blackhats-Pro: ~ root# certbot-auto renew
Blackhats – Pro: ~ root # certbot-auto renew

Because we recently installed the certificate, the command will only check for the expiration date and print a message informing that the certificate is not due to renewal yet. The output should look similar to this:
Output: Checking for new version…
Requesting root privileges to run let’s Encrypt…
Blackhats-Pro: ~ root# /home/user/. local/share/letsencrypt/bin/letsencrypt renew
Processing /etc/letsencrypt/renewal/domain. com. conf
Blackhats – Pro: ~ root # /home/user/. local/share/letsencrypt/bin/letsencrypt renew
Processing / etc / letsencrypt / renewal / domain. com. conf
The following certs are not due for renewal yet:   (skipped)
Blackhats-Pro: ~ root# /etc/letsencrypt/live/example. com/fullchain. pem
Blackhats – Pro: ~ root # /etc/letsencrypt/live/example. com/fullchain. pem
No renewals were attempted.

Notice that if you created a bundled certificate with multiple domains, only the base domain name will be shown in the output, but the renewal should be valid for all domains included in this certificate.

A practical way to ensure your certificates won’t get outdated is to create a cron job that will periodically execute the automatic renewal command for you. Since the renewal first checks for the expiration date and only executes the renewal if the certificate is less than 30 days away from expiration, it is safe to create a cron job that runs every week or even every day, for instance.
Let’s edit the crontab to create a new job that will run the renewal command every week. To edit the crontab for the root user, run:  Add the following lines crontab entry:
Blackhats-Pro: ~ root# sudo crontab -e
30 2 * * 1 /usr/local/sbin/certbot-auto renew >> /var/log/le-renew. log
35 2 * * 1 /etc/init. d/nginx reload
Blackhats – Pro: ~ root # sudo crontab -e
30 2 * * 1 / usr / local / sbin / certbot – auto renew >> / var / log / le – renew. log
35 2 * * 1 / etc / init. d / nginx reload
Save and exit. This will create a new cron job that will execute the certbot-auto renew command every Monday at 2: 30 am, and reload Nginx at 2: 35am (so the renewed certificate will be used). The output produced by the command will be piped to a log file located at /var/log/le-renewal. log.

There are lots of more things to learn.. keep your mind busy and help others…

Leave a Reply

Your email address will not be published. Required fields are marked *