Secure NGiNX with Let’s Encrypt SSL on CentOS 7


Just another tutorial from Tufora where we will be showing you how to secure NGiNX with Let’s Encrypt SSL on CentOS 7. As you are well aware NGiNX is a very powerful software that can be used for various applications and workloads being as HTTP server, reverse proxy, load balancer and nowadays even as router for containers, pretty good portfolio we would say. On this tutorial we will be focusing on securing a NGiNX deployment with a SSL certificate issued by Let’s Encrypt (letsencrypt) using certbot utility on a CentOS 7 server.

Table of contents

Package instalation
Generate Diffie–Hellman Exchange Key
Generate letsencrypt SSL certificate with certbot
NGiNX SSL Configuration

Package installation

Our first step in order to secure NGiNX with a Let’s Encrypt SSL is to make sure that we have all packages and their dependencies that we need installed onto our CentOS 7 system. So please open a new terminal window, connect to your server where NGiNX is installed if you have not done that already and let’s start by installing first epel-release repository like shown in the example below using yum package manager:

$ yum install epel-release

Once epel-release installation is completed we have to install a few more additional packages like openssl, openssl-devel, certobt and also certbot-nginx using once again CentOS package manager yum:

$ yum install openssl openssl-devel certbot certbot-nginx

These are all the packages that we need for securing NGiNX with letsencrypt, now we can move to our next step where we have to actually generate the SSL for NGiNX.

Generate Diffie–Hellman Exchange Key

On this particular step we have to generate a DHM Key (Diffie–Hellman-Merkel Key Excange) via CLI using just openssl utility that we have previously installed like shown in the example below:

$ openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

You may generate even stronger keys than 2048 bits like for example 4096 bits but in this tutorial we will use a 2048 bits key which is strong enough for most setups.

Generate letsencrypt SSL certificate with certbot

We have managed so far to install all required packages and also generate a DHM Exchange Key but now we have to generate a Let’s Encrypt (letsencrypt) SSL Certificate for our NGiNX server. In this example we have to secure a domain name called we will have to invoke certbot utility like this:

$ certbot --nginx -d -d

As you can notice certbot is able to issue SSL certificates for both domain variants, www and also non-www.

NGiNX SSL Configuration

Now that we have managed to generate our Let’s Encrypt SSL Certificate (dhparam.pem) using certbot utility and DH Exchange Key using openssl all we have to do is just to amend our NGiNX configuration file being by editing nginx.conf file directly or our custom .conf file for our website:

server {

    # Ref:

    listen 			 443 ssl http2;
    listen                       [::]:443 ssl http2;
    server_name       ;
    ssl                          on;
    ssl_certificate              /etc/nginx/ssl/;
    ssl_certificate_key          /etc/nginx/ssl/;
    ssl_dhparam                  /etc/ssl/certs/dhparam.pem;

    # Add your own configuration below this line



If you want to find out more about how to enforce SSL by setting up 301 redirects then please follow our tutorial about NGiNX SSL Setup and 301 Redirects.


No video posted for this page.


No screenshots posted for this page.

Source code

No code posted for this page.

About this page

Secure NGiNX with Let’s Encrypt SSL on CentOS 7

Share this page

If you found this page useful please share it with your friends or colleagues.