Secure NGiNX with Let’s Encrypt SSL on CentOS 7
Just another tutorial from Tufora where we will be showing you how to secure NGiNX with Let’s Encrypt SSL on CentOS 7. As you are well aware NGiNX is a very powerful software that can be used for various applications and workloads being as HTTP server, reverse proxy, load balancer and nowadays even as router for containers, pretty good portfolio we would say. On this tutorial we will be focusing on securing a NGiNX deployment with a SSL certificate issued by Let’s Encrypt (letsencrypt) using certbot
utility on a CentOS 7 server.
Table of contents
Package instalation
Generate Diffie–Hellman Exchange Key
Generate letsencrypt SSL certificate with certbot
NGiNX SSL Configuration
Package installation
Our first step in order to secure NGiNX with a Let’s Encrypt SSL is to make sure that we have all packages and their dependencies that we need installed onto our CentOS 7 system. So please open a new terminal window, connect to your server where NGiNX is installed if you have not done that already and let’s start by installing first epel-release
repository like shown in the example below using yum
package manager:
$ yum install epel-release
Once epel-release
installation is completed we have to install a few more additional packages like openssl
, openssl-devel
, certobt
and also certbot-nginx
using once again CentOS package manager yum
:
$ yum install openssl openssl-devel certbot certbot-nginx
These are all the packages that we need for securing NGiNX with letsencrypt, now we can move to our next step where we have to actually generate the SSL for NGiNX.
Generate Diffie–Hellman Exchange Key
On this particular step we have to generate a DHM Key (Diffie–Hellman-Merkel Key Excange) via CLI using just openssl
utility that we have previously installed like shown in the example below:
$ openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
You may generate even stronger keys than 2048
bits like for example 4096
bits but in this tutorial we will use a 2048
bits key which is strong enough for most setups.
Generate letsencrypt SSL certificate with certbot
We have managed so far to install all required packages and also generate a DHM Exchange Key but now we have to generate a Let’s Encrypt (letsencrypt) SSL Certificate for our NGiNX server. In this example we have to secure a domain name called dummy-domain.com
we will have to invoke certbot
utility like this:
$ certbot --nginx -d dummy-domain.com -d www.dummy-domain.com
As you can notice certbot is able to issue SSL certificates for both domain variants, www
and also non-www
.
NGiNX SSL Configuration
Now that we have managed to generate our Let’s Encrypt SSL Certificate (dhparam.pem) using certbot
utility and DH Exchange Key using openssl
all we have to do is just to amend our NGiNX configuration file being by editing nginx.conf
file directly or our custom .conf
file for our website:
server {
#
# Ref: Tufora.com
#
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name www.dummy-domain.com;
ssl on;
ssl_certificate /etc/nginx/ssl/dummy-domain.com.pem;
ssl_certificate_key /etc/nginx/ssl/dummy-domain.com.key;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
#
# Add your own configuration below this line
#
...
}
If you want to find out more about how to enforce SSL by setting up 301 redirects then please follow our tutorial about NGiNX SSL Setup and 301 Redirects.