Add SSL/HTTPS on a site powered by NGIX
This guide gives an overview on how to secure your NGINX powered website with SSL/HTTPS. This was used to secure a WordPress site with Certbot Let’s Encrypt client in CentOS.
Setup
By default, Certbot is not available in the CentOS 8 (Linux distribution used for this guide) default repository. So you will need to download it from the Certbot official website. If Certbot is already installed in your Linux distro then please skip this step.
You can download and install Certbot with the following commands:
wget https://dl.eff.org/certbot-auto
mv certbot-auto /usr/local/bin/certbot-auto
chown root /usr/local/bin/certbot-auto
chmod 0755 /usr/local/bin/certbot-auto
Now, run the following command to obtain and install an SSL certificate for your WordPress website.
certbot-auto --nginx -d example.com
add _.example.com for all subdomains. Remove the _ for just one domain:
/usr/local/bin/certbot-auto --server https://acme-v02.api.letsencrypt.org/directory -d *.example.com --manual --preferred-challenges dns-01 certonly
You will be asked to provide an email address and agree to the terms of service. You will also need to choose whether or not you want to redirect HTTP traffic to HTTPS. Please select the appropriate option and hit the ENTER. Once the installation is successfully finished, you will get the following message:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2019-08-14. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew _all_ of
your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Auto Renew HTTPS SSL
- Install Python3 First of all check if your server has Python3 installed with the following line of code:
python3 --version
if it’s installed proceed to the next step. if it isn’t install it with the following command:
sudo dnf install python3
- Automate the renewal
type crontab -e on your terminal
then, add to the file the following line of code:
0 0,12 * * * root python3 -c 'import random; import time; time.sleep(random.random() * 3600)' && /usr/local/bin/certbot-auto renew
This will run an automated task on your server that will check daily if your certificate is expired and if it is it will be automatically renewed.
- What can happen
When auto renewal caused by crontab it may fail. In which case we need to manually renew the certificates and debug the reason for such failure. Eventually you can modify the crontab to reflect the command that worked for you.