Get Free Linux Server Security, Performance & Troubleshooting Tips

Nginx: Install Let’s Encrypt SSL on CentOS 6 and CentOS 7

Nginx: Install Let’s Encrypt SSL on CentOS 6 and CentOS 7
4.9 (97.24%) 29 votes

Let’s Encrypt free SSL certificates are one of those things that are changing the internet history. For those who still don’t know what is: Let’s Encrypt offers free SSL certificates for eveybody. And today I will show you how to install Let’s Encrypt SSL on CentOS 6 and CentOS 7 operating systems.

Introduction

Let’s Encrypt was founded to improve the security of Internet. This started when Google announced that HTTPS will be taken as one of the ranking signals used by its algorithm. Google settled the first sign that SSL certificates will play a crucial role in internet security and data protection.




Time after that, Cloudflare also announced their Free Universal SSL certificates, and lot of users started using the free SSL provider by them.

On April 12, 2016 the Let’s Encrypt project was officially launched, offering free X.509 certificates for Transport Layer Security (TLS) encryption via an automatic process.

And the last big adoption of free ssl certificates was made by cPanel Inc when they announced the availability of cPanel AutoSSL on all their cPanel servers from starting from cPanel v.58.x and above.  But earlier before, since cPanel v. 56.x they already started offering free cPanel-signed hostname certificate

It isn’t hard to notice that free SSL certificates are here to stay and to make Internet a better & safe place. Now, let’s talk about Let’s Encrypt, their benefits, requirements and the technical tutorial on how to install let’s encrypt SSL on CentOS 6.x / 7.x.




Let’s Encrypt Key Benefits

  • It’s free, everybody can have their own ssl without spending $1 dollar on paid SSL certificates.
  • It’s fast, you can setup your own SSL certificate within 5 minutes.
  • You don’t need any manual signing or validation process, it’s all done from the Linux shell.

Let’s Encrypt Requirements

We will need to install certbot tool to generate our free let’s encrypt ssl certificate.

For CentOS 6.x users, run this commands:

cd /usr/bin
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
ln -s /usr/bin/certbot-auto /usr/bin/certbot

For CentOS 7.x users:

Let’s install epel-release, who already contains the certbot package inside a rpm.

yum install epel-release
yum install certbot

Install Let’s Encrypt SSL on CentOS

The first step to install let’s encrypt ssl on CentOS Linux is to add a simple configuration inside your nginx virtual host configuration. Add this line to your vhost configuration

	location ~ /.well-known {
        	allow all;
	}

Reload Nginx to apply changes:

service nginx reload

or

systemctl reload nginx

Get your Let’s Encrypt SSL Certificate

Run the command as you see below, replace “nixcp.com” with your real domain name and /var/www/ with your real webroot path.

certbot certonly -a webroot --webroot-path=/var/www/nixcp.com -d nixcp.com -d www.nixcp.com

This should be the expected output:

[root@server.nixcp.com:~]certbot certonly -a webroot --webroot-path=/var/www/nixcp.com -d nixcp.com -d www.nixcp.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for nixcp.com
Using the webroot path /var/www/nixcp.com for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0001_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0001_csr-certbot.pem

IMPORTANT NOTES:

 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/nixcp.com/fullchain.pem. Your cert
   will expire on 2017-04-20. To obtain a new or tweaked version of
   this certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"

 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

[root@server.nixcp.com:~]

Configure Let’s Encrypt TLS/SSL on Nginx Web Server

Now let’s edit your nginx virtual host so we can finally enable the Let’s Encrypt SSL certificate by configuring the fullchain.pem and privkey.pem files:

Edit your vhost and add this three directives:

listen 443 ssl http2;
ssl_certificate /etc/letsencrypt/live/nixcp.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/nixcp.com/privkey.pem;

The first one enables ssl on 443 and also enables HTTP2 protocol, the second and third line are the required .pem files of your SSL certificate.

Reload Nginx to apply changes:

service nginx reload

or

systemctl nginx reload

The full nginx vhost configuration may look like this:

### nixcp.com

server {
        listen 80;
        server_name nixcp.com www.nixcp.com;
        rewrite ^(.*) https://nixcp.com$1 permanent;
}

server {
access_log off;
log_not_found off;
error_log  logs/nixcp.com-error_log warn;

        server_name  nixcp.com; 
	root   /var/www/nixcp.com;
	index  index.php index.html index.htm;

        listen 443 ssl http2;
        ssl_certificate /etc/letsencrypt/live/nixcp.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/nixcp.com/privkey.pem;

	# SSL Configuration Start

	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 8.8.4.4 8.8.8.8 valid=300s;
	resolver_timeout 10s;
	ssl_session_cache    shared:SSL:10m;
        ssl_session_timeout  10m;
 	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 	ssl_prefer_server_ciphers On;
 	ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
 
	# Closing SSL configuration

	# Stuff required by certbot
	location ~ /.well-known {
        	allow all;
	}

	# Cache Static Content
        location ~* \.(gif|jpg|jpeg|png|ico|wmv|3gp|avi|mpg|mpeg|mp4|flv|mp3|mid|js|css|wml|swf)$ {
                expires max;
                add_header Pragma public;
                add_header Cache-Control "public, must-revalidate, proxy-revalidate";
        }

	# PHP-FMP Configuration
        location ~ \.php$ {
            try_files $uri =404;
	    fastcgi_pass   unix:/tmp/nixcp.com-php5-fpm.sock;
            fastcgi_index  index.php;
            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
            include        fastcgi_params;
            fastcgi_buffer_size 128k;
	    fastcgi_read_timeout 150;
            fastcgi_buffers 256 4k;
            fastcgi_busy_buffers_size 256k;
            fastcgi_temp_file_write_size 256k;
       }
}

TLS/SSL Hardening

I won’t explain each one of the options right now, but you can try to used this configuration if it meet your needs. Just make sure you understand what each one means before you setup this on your Nginx configuration.

        add_header X-Xss-Protection "1; mode=block" always;
        add_header X-Content-Type-Options "nosniff" always;
	add_header X-Frame-Options "SAMEORIGIN" always;
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains" always;
	add_header Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'; connect-src https: wss:" always;

This Let’s Encrypt TLS Security configuration and a general SSL Hardening guide can be found fully explained at my next tutorial: Hardening HTTP Response Headers.

Testing Let’s Encrypt SSL Certificates

As you see,  your Let’s Encrypt Free TLS/SSL certificate is now ready to work from your browser. My suggestion at this point int to test out if the SSL is working as expected. Try loading:

https://www.yoursite.com

If you get a green ‘Secure’ lock at the left part of your address bar, then your SSL is working as expected. If you don’t get a green ‘Secure’ message, then it may be possible that you have a ‘mixed content’ problem.

Mixed content problem means some parts of your application are loading insecure contents from http:// protocol.

This content could be local, from your own website, or remote, from other domains. You just have to make sure you are always loading your resources from https:// for both, local and remote domains.

This tutorial on Google Developers may help to prevent mixed content.

Another effective way to test your SSL is to use Qualys SSL Labs report. This test will analyze your SSL configuration and make you suggestions to improve your SSL configuration if needed. At the end you will get rated with different scores.

In a web browser open your SSL web page: https://www.ssllabs.com/ssltest/analyze.html?d=www.yoursite.com

Make sure you replace “yoursite.com” with your real URL where the SSL is running.

Set Up Let’s Encrypt SSL Auto Renewal

Now you know how to install let’s encrypt ssl on CentOS, however there is one last step to make. Now that your Free Let’s Encrypt SSL certificate is ready, you need to setup a way to auto-renew the certificates.

Let’s Encrypt SSL Certificates are valid for only 90 days. So, a good practice will be to set your SSL certificates to be renewed every once in a month.

Or if you are more paranoid, one a week so you can minimize any delays or errors while renewing your SSL certificates, just in case.

To launch the renewal process for all your SSL based domains you just need to run this command:

certbot renew

If you run the command now the command will inform that there is no certificate due to renewal yet, this is because the SSL was just installed. The output should look similar to this:

[root@server.nixcp.com:~]certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/nixcp.com.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/anothersite.com.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for anothersite.com
tls-sni-01 challenge for www.anothersite.com

-------------------------------------------------------------------------------

Important: if you created  that if you created a bunch of certificate for multiple domain names, only the main domain name will be shown, for the renewal will be applied to the rest of the domains (eg. sub domains) that are using the same certificate.

How can I set Let’s Encrypt Auto Renewal?

The best way to ensure your Let’s Encrypt SSL certificates are auto renewed is to setup a cronjob that will be executed from time to time to renew the certificates for you.

The renewal will be executed only if there are 30 days less from the expiration date.

We will add a cronjob to run the renewal command every week, run this command:

crontab -e

Paste the following lines

CentOS 6.x users:

01 1 * * 0 /usr/bin/certbot renew >> /var/log/ssl-renew.log
06 1 * * 0 /sbin/service nginx reload

CentOS 7.x users:

01 1 * * 0 /usr/bin/certbot renew >> /var/log/ssl-renew.log 
06 1 * * 0 /usr/bin/systemctl nginx reload

Save and Exit from the crontab table.

This will create a new cronjob that will be executed every Sunday at 01 AM, and then it will reload Nginx web server to apply the changes. The output will be logged into /var/log/ssl-renew.log file for further analysis if needed.

How can I completely remove a let’s encrypt certificate?

rm -rf /etc/letsencrypt/live/domainname.com/
rm /etc/letsencrypt/renewal/domainname.com.conf -fv

Remove the SSL confingurations from your vhost, and then reload Nginx:

service nginx reload

Conclusion

Let’s Encrypt Free SSL Certificates are here to stay, the adoption of SSL certificate after this project was launched has been really massive, today everybody has their own certificate.

Following this tutorial you will be able to install let’s encrypt ssl on CentOS 6.x and 7.x without any issues.

The only downside of the free SSL certificates, as the way I see it, is the fact that now everybody will be able to install a free certificate and look like a legitimate and secure website, even if they are not.

This can be dangerous if bad guys start using this on phishing websites for example.

While technical users can be cautious and recognize a fake ‘secure’ phishing website, new or non technical users (your mom or grandma for example) can be easily hacked while entering their private details on a Let’s Encrypt based SSL website.

What do you think about Let’s Encrypt Free SSL Certificates, their benefits and risks?

Did you had any troubles while using my step by step guide on how to Install let’s encrypt ssl on CentOS?

Recommended reading:

Leave a Reply

Your email address will not be published. Required fields are marked *