Letsencrypt certbot Centos 7 Nginx

Linux specific questions/information are gathered here. The main thrust of topics are applied to Centos/RedHat(RH)/Debian/Ubuntu/Gentoo distributives

Letsencrypt certbot Centos 7 Nginx

Postby lik » Thu Jun 16, 2016 2:41 pm

Letsencrypt (link) provides free SSL certificates for websites. Process of issuing certificate (and renewal) is greatly simplified by certbot scripts (former letsencrypt-auto) written in python.
Here we will install certbot on Centos 7 and issue SSL certificate for example.com/www.example.com running on Nginx.

Certbot installation instructions can be found at certbot.eff.org or at GitHub repo.
Certbot is packaged in the EPEL repository. Enable EPEL on your system and install Certbot:
Code: Select all
yum install epel-release
yum install certbot

I prefer not to create .well-known directory in webroot of sites to pass http-01 challenge, therefore we will use one common directory for all sites:
Code: Select all
server {
    listen 80;
    listen [::]:80;
    server_name .example.com;

    location /.well-known/acme-challenge {
        root /etc/letsencrypt/well-known-auto;
    }
    location / {
        return 301 https://example.com$request_uri;
    }
}

And create that dir:
Code: Select all
mkdir /etc/letsencrypt/well-known-auto

Reload Nginx to apply configuration changes and request SSL certificate for example.com domain:
Code: Select all
certbot certonly --webroot -w /etc/letsencrypt/well-known-auto -d example.com -d www.example.com --email ssl@example.com --agree-tos

Now configure Nginx to use this new SSL certificate. Good example of SSL virtualhost config (not only for Nginx) you can find at Mozilla ssl-config-generator page.
Code: Select all
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name example.com;
    root /home/sites/example.com;

    ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    # openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
    ssl_dhparam         /etc/nginx/ssl/dhparam.pem;
    ssl_session_timeout 1d;
    ssl_session_cache   shared:SSL:50m;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
    ssl_prefer_server_ciphers on;
    ssl_session_tickets off;

    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/example.com/fullchain.pem;

    add_header  X-Frame-Options SAMEORIGIN;
    add_header  X-Content-Type-Options nosniff;
    add_header  X-XSS-Protection "1; mode=block";
    add_header  Strict-Transport-Security max-age=15768000;

    location / {
        try_files $uri $uri/ /index.php?$args;
    }
    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_pass   php-fpm;
        include        fastcgi_params;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
    }

}

Test renewal command:
Code: Select all
certbot renew --dry-run

And finally add it to cron to automate the process:
Code: Select all
5 5 * * * certbot renew --post-hook "systemctl restart nginx" --quiet


Notes:
- There is a bug in version <0.8.1 of certbot which will trigger post-hook action regardless of status.
- Workaround until [certbot|letsecrypt{,-auto}] mess in scripts resolved is to set environmental variable CERTBOT_AUTO to avoid warning:
WARNING:certbot.cli:You are running with an old copy of certbot that does not receive updates, and is less reliable than more recent versions. We recommend upgrading to the latest certbot-auto script, or using native OS packages.

e.g.
Code: Select all
5 5 * * * CERTBOT_AUTO= certbot renew --post-hook "systemctl restart nginx" --quiet
lik
Founder
Founder
 
Posts: 497
Joined: Wed Dec 15, 2010 3:21 am

Return to Linux specific

 


  • Related topics
    Replies
    Views
    Last post