Sunday, September 25, 2022

How To Secure Nginx with Let’s Encrypt on CentOS 7

In this article, we want to teach you How To Secure Nginx with Let’s Encrypt on CentOS 7.

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the ISRG.

NGINX is open-source software for web serving, reverse proxying, caching, load balancing, media streaming, and more.

How To Secure Nginx with Let’s Encrypt on CentOS 7

Before we start to Secure Nginx with Let’s Encrypt on Centos 7, you need some requirements.

Requirements

You need to log in as a non-root user with sudo permissions by visiting this article about the Initial server setup with Centos 7.

Install Nginx on Centos 7. before starting to read this article, if you don’t know about Nginx installation, you can read this article “How to install Nginx on CentOS 7

You need your domain name for both DNS records like our domain www.nginx.orcacore.net  and nginx.orcacore.net.

When you are finished with these requirements, you can start to install the Let’s Encrypt client software.

Install the Certbot Let’s Encrypt Client on Centos 7

To install the certbot to get an SSL certification you need to install the Epel-repository on Centos 7. Run the following command:

sudo yum install epel-release

Here you can get the “certbot-nginx” package with the following command:

sudo yum install certbot-nginx

At this point, If you don’t install Nginx yet, you should install and set up the Nginx on Centos 7.

Set up Nginx on Centos 7

In the previous step, the Epel-repository is installed you can install Nginx on Centos 7 with the following command:

sudo yum install nginx

Then start the Nginx on Centos 7 with the command below:

sudo systemctl start nginx

Certbot needs to be able to find the correct server block in your config. If you install a fresh Nginx you can update the default file config with the following command:

sudo vi /etc/nginx/nginx.conf

When you are getting into the file, find the server name line and put your domain name instead of “_” in that.

server_name nginx.orcacore.net www.nginx.orcacore.net;

Save and close the editor.

Check the syntax of your Nginx configurations edit on Centos 7 with the following command:

sudo nginx -t

If you have no errors, reload the Nginx on Centos 7 with the following command:

sudo systemctl reload nginx

At this point, certbot can find the correct server block and update it.

You need to update the firewall on Centos 7 to allow HTTPS traffic.

Update the Firewall On Centos 7

If you have a firewalld firewall running on Centos 7, you need to be sure that ports 80 and 443 are open for incoming traffic.

if you haven’t installed firewalld you can run the following command to install it:

sudo yum install firewalld

Then, start the firewalld with the command below:

sudo systemctl start firewalld

Here you can open those ports with the following commands:

sudo firewall-cmd --add-service=http
sudo firewall-cmd --add-service=https
sudo firewall-cmd --runtime-to-permanent

If you have an iptables firewall running, run these commands instead:

sudo iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
sudo iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT

At this point, you can get an SSL certification from Let’s Encrypt.

How to get an SSL certification from Let’s Encrypt

You can get the SSL certification for Nginx on Centos 7 with the command below:

sudo certbot --nginx -d nginx.orcacore.net -d www.nginx.orcacore.net

You will be asked some questions like your email address and agree with the terms of services, answer them to complete the installation.

Output
Congratulations! You have successfully enabled https://nginx.orcacore.net and
https://www.nginx.orcacore.net
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
  /etc/letsencrypt/live/nginx.orcacore.net/fullchain.pem
  Your key file has been saved at:
 /etc/letsencrypt/live/nginx.orcacore.net/privkey.pem
  Your certificate will expire on 2021-11-23. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again with the "certonly" option. To non-interactively
  renew *all* of your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:
 Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 Donating to EFF:                    https://eff.org/donate-le

At this point, your certificates are downloaded, installed, and loaded. You can reload your website with “https://” in your web browser, you should see the lock icon in your address bar.

Update Diffie-Helman parameters on Centos 7

If you use the SSL Lab Server Test to test your server you will get a B grade. it is because of the weak Diffie-Helman parameters. you need to update them to get the A grade for better security. Follow the steps:

  1. Create a file with openssl on Centos 7
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

It will take a few minutes to get complete.

2. Open the Nginx config file on Centos 7

sudo vi /etc/nginx/nginx.conf

3. Copy and paste the following line into the server block in the Nginx config file on Centos 7.

Note: The certbot may be made that line, just search the line if you don’t have this line paste it.

ssl_dhparam /etc/ssl/certs/dhparam.pem;

Save and close the file.

4. Verify the configuration

sudo nginx -t

If you have no errors reload the Nginx:

sudo systemctl reload nginx

At this point, you will get an A grade.

Secure Nginx with SSL on Centos 7-SSL report

How To set up Auto-Renewal Of the Lets Encrypt Certifications

You learn how to secure Nginx with Let’s Encrypt on Centos 7.

Here, you should renew the certification automatically because Let’s Encrypt certifications are valid for 90 days. Follow the command below:

sudo certbot renew --dry-run

Conclusion of How to Secure Nginx with Let’s Encrypt on CentOS 7

At this point, you can install the certbot Let’s Encrypt client, set up the Nginx, and update the firewall on Centos 7 and you learn How to get an SSL certification from Let’s Encrypt and its auto-renewal.

Hope you enjoy this article about How to Secure Nginx with Let’s Encrypt on CentOS 7.

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles

POPULAR TAGS

Most Popular