How To Secure Nginx with Let's Encrypt on CentOS 8

How to Install Let’s Encrypt SSL with Nginx on CentOS 8

Securing your Nginx server on CentOS 8 with an SSL certificate from Let’s Encrypt is essential for protecting user data and enhancing your site's trustworthiness. Let’s Encrypt provides free, automated SSL certificates, making it simple to implement HTTPS. This
guide will walk you through the steps to install Let’s Encrypt with Nginx on CentOS 8.

Prerequisites

• A CentOS 8 server with root access or a user with sudo privileges.
• Nginx installed and running.
• A domain name pointing to your server's IP address.

Step 1: Update System Packages

To ensure all system packages are up-to-date, run:

sudo dnf update -y

Step 2: Install EPEL Repository

Let’s Encrypt’s Certbot requires the EPEL (Extra Packages for Enterprise Linux) repository to be enabled on CentOS 8. Install it by running:

sudo dnf install epel-release -y

Step 3: Install Certbot

Certbot is a client that automates obtaining and installing SSL certificates. Install Certbot and the Nginx plugin:

sudo dnf install certbot python3-certbot-nginx -y

Step 4: Configure Nginx

Before issuing a certificate, configure Nginx for your domain. Create a configuration file in the /etc/nginx/conf.d/ directory:

sudo nano /etc/nginx/conf.d/example.com.conf

Replace example.com with your actual domain name and use the following configuration:

server {
    listen 80;
    server_name example.com www.example.com;

    location / {
        proxy_pass http://localhost:3000; # Or whatever your backend is running on
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Save and exit the file, then test the Nginx configuration for syntax errors:

sudo nginx -t

If the test is successful, restart Nginx to apply the changes:

sudo systemctl restart nginx

Step 5: Obtain the SSL Certificate

With Certbot installed and Nginx configured, request an SSL certificate. Run the following command, replacing example.com with your domain:

sudo certbot --nginx -d example.com -d www.example.com

Certbot will connect to Let’s Encrypt, verify your domain, and install the certificate automatically. You’ll be prompted to provide your email address and agree to the terms of service.

Step 6: Test SSL Configuration

Once Certbot finishes, it will configure SSL automatically. Verify the configuration by testing Nginx again:

sudo nginx -t

Restart Nginx to apply the SSL settings:

sudo systemctl restart nginx

Now, visit https://example.com in your web browser to check if the SSL certificate is active.

Step 7: Set Up Automatic Certificate Renewal

Let’s Encrypt certificates are valid for 90 days, so setting up automatic renewal is crucial. Certbot’s default installation on CentOS 8 includes a renewal timer. To check if the timer is active, run:

sudo systemctl list-timers | grep certbot

To test renewal manually and ensure it’s functioning, use:

sudo certbot renew --dry-run

This command will simulate the renewal process. If no errors occur, your automatic renewal is set up correctly.

Step 8: Firewall Configuration (if necessary)

If you use a firewall on your server, ensure it allows HTTPS traffic. Enable HTTP and HTTPS through the firewall with:

sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload

Conclusion

You have now installed and configured Let’s Encrypt SSL with Nginx on CentOS 8! Your site is more secure, and with Certbot’s automatic renewal, you’ll have peace of mind knowing your certificate will stay valid.