Setup Let’s encrypt SSL for Your Domains on Centos7 on NGINX

lestsencrypt

An while back I have written the post off how you can install php7 with nginx on an VPS server to have very good performance, you can find it here: WordPress Hosting – Install PHP7, Nginx and Virtualmin on CentOS 7.2 .

In this article I would continue the series and show how you can use let’s encrypt to have an running HTTPS website for free with an valid certificate signed by an CA.

Let’s encrypt is an free Certificate Authority that will generate an certificate for your domain and help in having your site running on HTTPS.  Haveing your site running on HTTPS has more benefits like:

  • SEO – Google is ranking higher the sites that are on HTTPS, here you can find more details
  • HTTP2 the new protocol is out and new browsers are supporting it, HTTP2 can run only on HTTPS, here are more details
  • Have your site more secured, in case you are using an membership site this is recommended

Steps to have your site running on HTTPS

I have started from How To Secure Nginx with Let’s Encrypt on CentOS 7 but this are not the exact configurations when you are using Virtualmin and Nginx to host multiple sites. In this article I would go thru the all steps that I have done to have bitdoze.org running on the HTTPS.

Step 1 — Install Let’s Encrypt Client

As mentioned in the article from digitalocean the let’s encrypt client would need to be installed, the exacts steps mentioned also there would need to be followed:

Install Git and Bc

yum -y install git bc

Clone Let’s Encrypt

sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

Now you will have /opt/letsencrypt the encyption tool need to generate the certificate.

Step 2 — Obtain a Certificate

You have already NGINX installed as part off the previous tutorial, what remains to be done is to get the certificate. Before doing so some configurations would need to be done on nginx

Add well-know on the domain

You will need to open the /etc/nginx/nginx.conf and add the below code under the domain you want to run on HTTPS:

location ^~ /.well-known/ {
    allow all;
  }

If is not clear where the code should be added just check the snapshot from the end of the article with the complete configs.

Restart Nginx

For the configuration to be acive NGINX would need to be restarted

sudo systemctl restart nginx

This needs to be done as the Let’s Encypt will use the http://domain.com/.well-known to create the certificate.

Generate the certificate

Next action would be to have the certificate created for your domain. To do so you will need the root path where the files for sites exists for me is: /home/bitdoze.org/public_html

Next you would need to run:

cd /opt/letsencrypt
./letsencrypt-auto certonly -a webroot --webroot-path=/home/bitdoze.org/public_html -d bitdoze.org -d www.bitdoze.org

 

Next you woud be asked for the emai address and to agree and everything is ok then:

Output:
IMPORTANT NOTES:
 - If you lose your account credentials, you can recover through
   e-mails sent to bitdoze1@gmail.com
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/bitdoze.org/fullchain.pem. Your
   cert will expire on 2016-06-15. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.
 - Your account credentials have been saved in your Let's Encrypt
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Let's
   Encrypt so making regular backups of this folder is ideal.
 - If like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Now you have the certificate files, you can check:

[root@ns1 ~]# ls -ltr  /etc/letsencrypt/live/bitdoze.org/
total 0
lrwxrwxrwx 1 root root 38 Mar 23 10:33 privkey.pem -> ../../archive/bitdoze.org/privkey1.pem
lrwxrwxrwx 1 root root 40 Mar 23 10:33 fullchain.pem -> ../../archive/bitdoze.org/fullchain1.pem
lrwxrwxrwx 1 root root 36 Mar 23 10:33 chain.pem -> ../../archive/bitdoze.org/chain1.pem
lrwxrwxrwx 1 root root 35 Mar 23 10:33 cert.pem -> ../../archive/bitdoze.org/cert1.pem

 

Step 3 — Configure TLS/SSL on Web Server (Nginx)

Activate SSL but let also the 80:

listen 104.236.95.236;
listen 443 ssl;

Add SSL certificate and new ssl_chipers

ssl on;
ssl_certificate /etc/letsencrypt/live/bitdoze.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/bitdoze.org/privkey.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;

Redirect the HTTP to HTTPS:

# force https-redirects
    if ($scheme = http) {
        return 301 https://$server_name$request_uri;
}

Restart Nginx

sudo systemctl restart nginx

 

For an complete picture off how my server looks check:

 server {
                server_name bitdoze.org www.bitdoze.org;
                listen 104.236.95.236;
                listen 443 ssl;
                root /home/bitdoze.org/public_html;
                index index.html index.htm index.php;
                access_log /var/log/virtualmin/bitdoze.org_access_log;
                error_log /var/log/virtualmin/bitdoze.org_error_log;
                fastcgi_param GATEWAY_INTERFACE CGI/1.1;
                fastcgi_param SERVER_SOFTWARE nginx;
                fastcgi_param QUERY_STRING $query_string;
                fastcgi_param REQUEST_METHOD $request_method;
                fastcgi_param CONTENT_TYPE $content_type;
                fastcgi_param CONTENT_LENGTH $content_length;
                fastcgi_param SCRIPT_FILENAME /home/bitdoze.org/public_html$fastcgi_script_name;
                fastcgi_param SCRIPT_NAME $fastcgi_script_name;
                fastcgi_param REQUEST_URI $request_uri;
                fastcgi_param DOCUMENT_URI $document_uri;
                fastcgi_param DOCUMENT_ROOT /home/bitdoze.org/public_html;
                fastcgi_param SERVER_PROTOCOL $server_protocol;
                fastcgi_param REMOTE_ADDR $remote_addr;
                fastcgi_param REMOTE_PORT $remote_port;
                fastcgi_param SERVER_ADDR $server_addr;
                fastcgi_param SERVER_PORT $server_port;
                fastcgi_param SERVER_NAME $server_name;
                fastcgi_param HTTPS $https;
                location ~ \.php$ {
                        try_files $uri =404;
                        fastcgi_pass unix:/var/php-nginx/14569991303968.sock/socket;
                }
location ^~ /.well-known/ {
    allow all;
  }
        location / {
                         include /etc/nginx/drconf/wpsecure.conf;
                         include /etc/nginx/drconf/wpnocache.conf;

                         try_files $uri $uri/ /index.php?q=$request_uri;
                }
ssl on;
ssl_certificate /etc/letsencrypt/live/bitdoze.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/bitdoze.org/privkey.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
# force https-redirects
    if ($scheme = http) {
        return 301 https://$server_name$request_uri;
}

 

Step 4 – WordPress Configurations

 

You will need to edit the wp-config.php file and add:

define('FORCE_SSL_ADMIN', true);
define('WP_HOME','https://www.bitdoze.org');
define('WP_SITEURL','https://www.bitdoze.org');

You just replace my site with your site.

Step 5 — Set Up Auto Renewal

The certificate is expiring at 90 days you will need to renew it. To do so you need to run:

/opt/letsencrypt/letsencrypt-auto renew

To make the process automatic you need to add an script in crontab:

sudo crontab -e

Add the script you can run it every week or when you want for every week:

30 2 * * 1 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log
35 2 * * 1 /usr/bin/systemctl reload nginx