Config let's encrypt for nginx server with 9 step

let's encrypt.md

1. Install certbot

Flow command:

1 wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

2 yum install epel-release-latest-7.noarch.rpm

If you are using ec2 you can enable optional channel by running: 1' yum -y install yum-utils

2' yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional

3 sudo yum install certbot python2-certbot-nginx

2. SSL Init

• Generate Diffie-Hellman keys: openssl dhparam -out /etc/nginx/dhparam.pem 2048

• Create a common ACME-challenge directory (for Let's Encrypt): mkdir -p /var/www/_letsencrypt

3. Nginx Config

Add to nginx.conf

# SSL
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;

# Diffie-Hellman parameter for DHE ciphersuites
ssl_dhparam /etc/nginx/dhparam.pem;

# Mozilla Intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
resolver_timeout 2s;

Sample

http {
	charset utf-8;
	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	server_tokens off;
	log_not_found off;
	types_hash_max_size 2048;
	client_max_body_size 16M;

	# MIME
	include mime.types;
	default_type application/octet-stream;

	# logging
	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log warn;

  # --------- start region config for SSL
	# SSL
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:10m;
	ssl_session_tickets off;

	# Diffie-Hellman parameter for DHE ciphersuites
	ssl_dhparam /etc/nginx/dhparam.pem;

	# Mozilla Intermediate configuration
	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

	# OCSP Stapling
	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
	resolver_timeout 2s;
  # --------- end region config for SSL

	# load configs
	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
}



4. Create ssl.conf file

echo -e '# ACME-challenge\nlocation ^~ /.well-known/acme-challenge/ {\n root /var/www/_letsencrypt;\n}' | sudo tee /etc/nginx/ssl.conf

5. Add ssl.conf to your domain.com.conf

include ssl.conf;

Sample

server {
listen 80;
listen [::]:80;

server_name example.com;

include ssl.conf;

# other config
}

6. Register SSL

certbot certonly --webroot -d example.com --email [email protected] -w /var/www/_letsencrypt -n --agree-tos --force-renewal

7. Enable SSL (HTTPS)

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;

  server_name example.com;

  # SSL
  ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
  ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;

  # other config
}



8. Set up automatic renewal

echo "0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew" | sudo tee -a /etc/crontab > /dev/null

9. Configure Certbot to reload NGINX after success renew:

echo -e '#!/bin/bash\nnginx -t && systemctl reload nginx' | sudo tee /etc/letsencrypt/renewal-hooks/post/nginx-reload.sh
sudo chmod a+x /etc/letsencrypt/renewal-hooks/post/nginx-reload.sh