Are you paying too much for SSL certificates? Are you looking for free SSL certificates?
You can get free SSL certificates with Let’s Encrypt and deploy it with Certbot in less than 10 minutes!
In this article, I will show you how you can install and deploy SSL certificates for Nginx servers running on CentOS 7.
What is Let’s Encrypt
Let’s Encrypt is a CA (Certificate Authority) that provides free SSL DV (Domain Validation) certificates. These free SSL certificates allow websites to provide secure connections through HTTPS (SSL/TLS).
Certificates issued expires in 90 days while other CAs usually issue certificates that lasts about a year.
According to Let’s Encrypt, the advantage of having 90 days validity, limits damage from key compromise and mis-issuance. Let’s Encrypt allows automated renewal and recommends renewing every 60 days.
Certificates issued are compatible with most up-to-date browsers, so you do not need to worry about incompatibility.
Get Your Free SSL
We will use Certbot to simplify the deployment of Let’s Encrypt free SSL certificates.
Requirements
- Shell access (SSH) to server (obviously!)
Installation
Install Certbot for Nginx.
$ sudo yum install certbot-nginx
This command will generate a certificate and automatically edit Nginx configuration to serve the certificate.
$ sudo certbot --nginx
If you prefer to modify your configuration manually, add certonly
to the command above to generate the certificate only.
$ sudo certbot --nginx certonly
You can check out Certbot for other configurations if you are not on CentOS 7 and Nginx.
Automating Renewal
Run the following command to test the renewal process.
$ sudo certbot renew --dry-run
If the above is successful, you can use cron to run certbot renew
at regular intervals.
The following cron job runs certbot renew
at 1am daily without any output and reloads Nginx configuration.
0 1 * * * /usr/bin/certbot renew --quiet --post-hook "systemctl reload nginx"
Certbot recommends running it often to prevent downtime if the certificate expires or revoked. The command will do nothing if the certificate is not due for renewal or revoked.
Yes, it is that easy.
Rate Your Server
You can test your server’s rating with SSL Labs Server Test and you should get B due to weak Diffie-Hellman parameters. In order to get A, you will need to run the command below to update the parameters.
nbsp;sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
When the test is done, edit your Nginx configuration (eg. /etc/nginx/conf.d/default.conf). Add the following line in Nginx server block to use the newly created parameters.server { listen 443 ssl; ... ssl_dhparam /etc/ssl/certs/dhparam.pem; }Now, run the test again and you should get an A. But don’t stop here! Find out how to enable HTTP/2 in less than 5 minutes to take advantage of its performance benefits.
Hope this article helped you learned how to install and deploy Let’s Encrypt SSL certificates.
If you liked this article, please do share this article with your friends and family.