Free SSL Certificates with Let’s Encrypt for Nginx on CentOS 7

Are you paying too much for SSL certificates? Are you looking for free SSL certificates?

You can get free SSL certificates with Let’s Encrypt and deploy it with Certbot in less than 10 minutes!

In this article, I will show you how you can install and deploy SSL certificates for Nginx servers running on CentOS 7.

What is Let’s Encrypt

Let’s Encrypt is a CA (Certificate Authority) that provides free SSL DV (Domain Validation) certificates. These free SSL certificates allow websites to provide secure connections through HTTPS (SSL/TLS).

Certificates issued expires in 90 days while other CAs usually issue certificates that lasts about a year.

According to Let’s Encrypt, the advantage of having 90 days validity, limits damage from key compromise and mis-issuance. Let’s Encrypt allows automated renewal and recommends renewing every 60 days.

Certificates issued are compatible with most up-to-date browsers, so you do not need to worry about incompatibility.

Get Your Free SSL

We will use Certbot to simplify the deployment of Let’s Encrypt free SSL certificates.

Deploy free SSL certificates with Certbot

Requirements

  • Shell access (SSH) to server (obviously!)

Installation

Install Certbot for Nginx.

$ sudo yum install certbot-nginx

This command will generate a certificate and automatically edit Nginx configuration to serve the certificate.

$ sudo certbot --nginx

If you prefer to modify your configuration manually, add certonly to the command above to generate the certificate only.

$ sudo certbot --nginx certonly

You can check out Certbot for other configurations if you are not on CentOS 7 and Nginx.

Automating Renewal

Run the following command to test the renewal process.

$ sudo certbot renew --dry-run

If the above is successful, you can use cron to run certbot renew at regular intervals.

The following cron job runs certbot renew at 1am daily without any output and reloads Nginx configuration.

0 1 * * * /usr/bin/certbot renew --quiet --post-hook "systemctl reload nginx"

Certbot recommends running it often to prevent downtime if the certificate expires or revoked. The command will do nothing if the certificate is not due for renewal or revoked.

Yes, it is that easy.

Rate Your Server

You can test your server’s rating with SSL Labs Server Test and you should get B due to weak Diffie-Hellman parameters. In order to get A, you will need to run the command below to update the parameters.

$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

When the test is done, edit your Nginx configuration (eg. /etc/nginx/conf.d/default.conf). Add the following line in Nginx server block to use the newly created parameters.

server {
    listen 443 ssl;
    ...
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
}

Now, run the test again and you should get an A. But don’t stop here! Find out how to enable HTTP/2 in less than 5 minutes to take advantage of its performance benefits.

Hope this article helped you learned how to install and deploy Let’s Encrypt SSL certificates.

If you liked this article, please do share this article with your friends and family.