Secure the Nginx Server with Let’s Encrypt SSL
By Jithin on January 20th, 2020
Nginx is a free, open-source, and high-performance web server software. It can act as a reverse proxy, TCP/UDP proxy server, load balancer, and IMAP/POP3 proxy server. When compared to the Apache HTTP server, Nginx is a much more flexible and lightweight program. We can deploy Nginx to serve dynamic HTTP content on the network. Nginx also serves as a software load balancer, and it uses an asynchronous event-driven approach to handle the request. The modular event-driven architecture of Nginx provides a more predictable performance during high load. When compared to Apache, Nginx does not come with many modules, and this makes it perform better than Apache. We can secure the Nginx web server with Let’s Encrypt Certbot.
Let’s Encrypt is a non-profit certificate authority (CA) that provides valid SSL certificates for free. This certificate expires after 30 days, and it gets auto-renewed during this time. Let’s Encrypt runs an automated process to overcome the manual works, such as creation, validation, installation, signing, and renewal of certificates. We use Let’s Encrypt SSL certificate to secure all the domains hosted on our Nginx server.
SSL certificate act as a backbone for a secure server as it provides end-to-end encryption for all the data transferred through the network. Any data entered in your system gets encrypted before sending it to the server when we use the SSL certificate. In addition to encryption, the SSL certificate can also provide authentication. When you are trying to secure your Nginx server with an SSL certificate, the Let’s Encrypt checks if the domain is pointing to the server, and if it is pointing to the server, then it issues the certificate.
1) Before you start to secure the Nginx server with Let’s Encrypt SSL on CentOS, make sure that you have a non-root user account with sudo privileges on your server.
2) Make sure that the domains are pointing to the server.
Secure Nginx Server with Let’s Encrypt SSL
To secure the Nginx web server with Let’s Encrypt SSL using the Certbot client, follow the below steps:
1) Install Certbot Client
Certbot is a free, open-source Apache-licensed Python certificate management program. The Certbot is a Let’s Encrypt client that is used to order the certificate, validate the domains, and install the certificates to enable HTTPS. This tool not only helps to manage the SSL certificates but also it helps to issue and renew the SSL certificates.
To install Certbot client on CentOS, run the following bunch of commands.
1) First, add the EPEL repository on CentOS.
$ sudo yum install epel-release
2) Install the Certbot client by running the following command.
$ sudo yum install httpd mod_ssl python-certbot-nginx
3) After the successful installation, run the following command to check the version details of Certbot client.
$ sudo certbot –version
2) Setup Firewall
If you are not running any firewall on your server, then you can skip this step.
Make sure that the ports 80 and 443 are open in your firewall. To open the ports inside firewalld, run the following bunch of commands.
$ sudo firewall-cmd –add-service=https
$ sudo firewall-cmd –add-service=http
$ sudo firewall-cmd –runtime-to-permanent
If the system is running iptables, then you can run the following commands to enable traffic on ports 443 and 80.
$ sudo iptables -I INPUT -p tcp -m tcp –dport 443 -j ACCEPT
$ sudo iptables -I INPUT -p tcp -m tcp –dport 80 -j ACCEPT
3) Setup Let’s Encrypt on Nginx
Let’s Encrypt validates the domain ownership, and after that, only it issues the certificate. In the following command, you need to replace the test with your domain name.
$ sudo certbot –nginx -d test.com -d www.test.com
During the first time installation, Certbot asks to enter the email ID and agree to terms and conditions. Then Certbot asks to configure the HTTP settings.
Please choose whether HTTPS access is required or optional.
1: Easy – Allow both HTTP and HTTPS access to these sites
2: Secure – Make all requests redirect to secure HTTPS access
Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel):
To move to the next step, select any of the two options. We recommend to chose the secure option if you don’t want to change the configuration file manually.
All the files generated during the setting up of Let’s Encrypt SSL on Nginx gets stored in the /etc/letsencrypt/live directory.
Generate Strong Diffie-Hellman Parameters
The Diffie-Hellman key exchange method is used to exchange cryptographic keys over an unsecured communication channel securely. You can generate healthy Diffie-Hellman parameters by using the following command. The following command generates the ‘dhparam.pem’ file.
$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
After that, edit the Nginx configuration file and add the following code inside the server block.
$ sudo nano /etc/nginx/nginx.conf
After adding the code, save and close the file. To check if the syntax is ok, run the following command.
$ sudo nginx -t
After the status comes out with no issue, reload the Nginx configuration file.
$ sudo systemctl reload nginx
4) SSL Certificates Autorenewal
The Let’s Encrypt SSL certificate expires after 90 days, so you need to renew these certificates before they expire. Run the following command to renew the SSL certificate.
$ sudo certbot renew
If you want to automate the renewal process, add the following cronjob. To open the crontab, run the following command.
$ sudo crontab -e
To run the renewal command twice a day, add the following line at the end of the file. This cronjob runs twice a day and renews the certificate if it is about to expire.
0 */12 * * * /usr/bin/certbot renew >> /var/log/le-renew.log
You can use the Let’s Encrypt to issue, manage, install, and renew SSL certificates using the Certbot client for the Nginx server. Let’s Encrypt provides valid SSL certificates for free. If you want to install Let’s Encrypt SSL certificate on CentOS, you can refer our guide: How to Install Let’s Encrypt SSL Certificate on CentOS 6/7
If you need any further help, please do reach our support department.