nginx https with let's Encrypt
Table of Contents
Note: this article just test on Centos 7 system.
nginx install or check
if your system has not installed nginx, you should install it first. Centos 7 system can install nginx package from Centos repository.
Install the EPEL repository:
sudo yum install epel-release
Install nginx
sudo yum install nginx
check your nginx if your system had installed nginx, you should check whether it supports http_ssl_module.
nginx -V | grep ssl --with-http_ssl_module
if not has "–with-http ssl module", you should install nginx from EPEL.
Note: For more installation information please see installing-nginx-open-source .
Install the Cerbot Let's Encrypt Client
The second step to using Let's Encrypt to obtain an SSL certificate is to install the cerbot software on you server. The CentOS 7 system can install cerbot package from EPEL.
sudo yum install cerbot sudo pip install cerbot
Create your configuration
create a folder to store you configuration
sudo mkdir /etc/letsencrypt/configs
edit configurate
sudo vim /etc/letsencrypt/configs/example.com.conf
Configuration file contents
# write your domain an email domains = example.com rsa-key-size = 2048 email = your-email@example.com text = True # webroot-path is the root path of example.com authenticator = webroot webroot-path = /root/path/of/example.com
Note: The above configuration file uses the webroot validation method, which is applicable to situations where there is already a Web Server running. Certbot will automatically create a hidden file under root/path/of/example.com .well-known/acme-challenge, by asking this file to verify that example.com dose belong to you. The external network server accesses http://www.example.com.well-known/acme-challenge and verifies OK if the access is successful.
Automatically generate certificates
sudo certbot certonly -c /etc/letsencrypt/configs/example.com.conf
At the terminal you will see the following:
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/example.com/fullchain.pem.
Add certificates to conf of nginx
server { listen 443 ssl; server_name example.com; ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_session_timeout 60m; #HSTS 策略 add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; #减少点击劫持 add_header X-Frame-Options DENY; #禁止服务器自动解析资源类型 add_header X-Content-Type-Options nosniff; #防 XSS 攻擊 add_header X-Xss-Protection 1; root /root/path/to/example.com; index index.html index.htm; } server { listen 80; server_name example.com; return 301 https://$server_name$request_uri; }
Note: More ssl configuration of nginx, you can see Mozilla SSl Configuraion Generator
Reload nginx
sudo nginx -s reload
Auto renew let's encrypt
su root && mkdir /var/log/certbot_renew.log 0 0 1 * * /bin/certbot renew >> /var/log/certbot_renew.log 2>&1