Here we will install certbot on Centos 7 and issue SSL certificate for example.com/www.example.com running on Nginx.
Certbot installation instructions can be found at certbot.eff.org or at GitHub repo.
Certbot is packaged in the EPEL repository. Enable EPEL on your system and install Certbot:
- Code: Select all
yum install epel-release
yum install certbot
I prefer not to create .well-known directory in webroot of sites to pass http-01 challenge, therefore we will use one common directory for all sites:
- Code: Select all
server {
listen 80;
listen [::]:80;
server_name .example.com;
location /.well-known/acme-challenge {
root /etc/letsencrypt/well-known-auto;
}
location / {
return 301 https://example.com$request_uri;
}
}
And create that dir:
- Code: Select all
mkdir /etc/letsencrypt/well-known-auto
Reload Nginx to apply configuration changes and request SSL certificate for example.com domain:
- Code: Select all
certbot certonly --webroot -w /etc/letsencrypt/well-known-auto -d example.com -d www.example.com --email ssl@example.com --agree-tos
Now configure Nginx to use this new SSL certificate. Good example of SSL virtualhost config (not only for Nginx) you can find at Mozilla ssl-config-generator page.
- Code: Select all
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.com;
root /home/sites/example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
# openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security max-age=15768000;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass php-fpm;
include fastcgi_params;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
}
Test renewal command:
- Code: Select all
certbot renew --dry-run
And finally add it to cron to automate the process:
- Code: Select all
5 5 * * * certbot renew --post-hook "systemctl restart nginx" --quiet
Notes:
- There is a bug in version <0.8.1 of certbot which will trigger post-hook action regardless of status.
- Workaround until [certbot|letsecrypt{,-auto}] mess in scripts resolved is to set environmental variable CERTBOT_AUTO to avoid warning:
WARNING:certbot.cli:You are running with an old copy of certbot that does not receive updates, and is less reliable than more recent versions. We recommend upgrading to the latest certbot-auto script, or using native OS packages.
e.g.
- Code: Select all
5 5 * * * CERTBOT_AUTO= certbot renew --post-hook "systemctl restart nginx" --quiet
