How to enable TLS in Nginx by Let's Encrypt

让你的网站 https 起来吧!

1. Enable TLS

Reference:
https://letsencrypt.org
https://certbot.eff.org

1.1. Setup Certbot

Enable EPEL repo:

$ sudo yum install epel-release
$ sudo yum install subscription-manager
$ subscription-manager repos --enable "rhel-*-optional-rpms" --enable "rhel-*-extras-rpms"

If you are using CentOS, you can enable the optional channel by running:

$ sudo yum -y install yum-utils
$ sudo yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional

After doing this, you can install Certbot by running:

$ sudo yum install certbot python2-certbot-nginx

If No package certbot available. occur, try the below:

$ sudo yum install certbot-nginx

1.2. Enable TLS

$ sudo certbot --nginx

But, Notice!

If you install nginx by source make, you need to set options like above:

$ sudo yum -y install yum-utils
$ sudo yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional

Then currect resulted is similar below:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/kelimelerdunyasi.org/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/kelimelerdunyasi.org/privkey.pem
   Your cert will expire on 2019-07-23. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

2. Automating renewal

2.1.Test

Test automatic renewal for your certificates by running this command:

$ sudo certbot renew --dry-run

return:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/kelimelerdunyasi.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for kelimelerdunyasi.org
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-staging-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/kelimelerdunyasi.org/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/kelimelerdunyasi.org/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.

If return contain Congratulations, all renewals succeeded. means configuration is current.

2.2. Automating renewal setup

sudo crontab -e

Insert line below:

00 00 * * 1     certbot renew --post-hook "/usr/local/nginx/nginx -s reload"

Than, certificate will renewal every week.

2.3. Verify the certificate

Visit https://www.ssllabs.com to verify certificate


EOF

0%