Home » Redhat » How to Secure Nginx with Let’s Encrypt on RHEL 7 (Red Hat Enterprise Linux) Operating System

How to Secure Nginx with Let’s Encrypt on RHEL 7 (Red Hat Enterprise Linux) Operating System

Update on:
Sep 2, 2021
Let’s Encrypt is a free and open certificate authority developed by the Internet Security Research Group (ISRG). Certificates issued by Let’s Encrypt are trusted by almost all browsers today.
 
In this tutorial, we’ll provide a step by step instructions about how to secure your Nginx with Let’s Encrypt using the certbot tool on RHEL 7 (Red Hat Enterprise Linux).

Prerequisites

Make sure that you have met the following prerequisites before continuing with this tutorial:

Install Certbot

Certbot is an easy to use tool that can automate the tasks for obtaining and renewing Let’s Encrypt SSL certificates and configuring web servers.
To install the certbot package form the EPEL repository run:
$ sudo yum install certbot

Generate Strong Dh (Diffie-Hellman) Group

Diffie–Hellman key exchange (DH) is a method of securely exchanging cryptographic keys over an unsecured communication channel.
 
Generate a new set of 2048 bit DH parameters by typing the following command:
$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

If you like you can change the size up to 4096 bits, but in that case, the generation may take more than 30 minutes depending on the system entropy.

Obtaining a Let’s Encrypt SSL certificate

To obtain an SSL certificate for our domain we’re going to use the Webroot plugin that works by creating a temporary file for validating the requested domain in the ${webroot-path}/.well-known/acme-challenge directory. The Let’s Encrypt server makes HTTP requests to the temporary file to validate that the requested domain resolves to the server where certbot runs.
 
To make it more simple we’re going to map all HTTP requests for .well-known/acme-challenge to a single directory, /var/lib/letsencrypt.
 
The following commands will create the directory and make it writable for the Nginx server.
$ sudo mkdir -p /var/lib/letsencrypt/.well-known
$ sudo chgrp nginx /var/lib/letsencrypt
$ sudo chmod g+s /var/lib/letsencrypt

To avoid duplicating code create the following two snippets which we’re going to include in all our Nginx server block files:

$ sudo mkdir /etc/nginx/snippets

/etc/nginx/snippets/letsencrypt.conf

location ^~ /.well-known/acme-challenge/ {
  allow all;
  root /var/lib/letsencrypt/;
  default_type "text/plain";
  try_files $uri =404;
}

/etc/nginx/snippets/ssl.conf

ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 30s;
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
The snippet above includes the chippers recommended by Mozilla, enables OCSP Stapling, HTTP Strict Transport Security (HSTS) and enforces few security‑focused HTTP headers.
 
Once the snippets are created, open the domain server block and include the letsencrypt.conf snippet as shown below:

/etc/nginx/conf.d/example.com.conf

server {
  listen 80;
  server_name example.com www.example.com;
  include snippets/letsencrypt.conf;
}

Reload the Nginx configuration for changes to take effect:

$ sudo systemctl reload nginx

You can now run Certbot with the webroot plugin and obtain the SSL certificate files for your domain by issuing:

$ sudo certbot certonly --agree-tos --email admin@example.com --webroot -w /var/lib/letsencrypt/ -d example.com -d www.example.com

If the SSL certificate is successfully obtained, certbot will print the following message:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2018-06-11. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Now that you have the certificate files, you can edit your domain server block as follows:

/etc/nginx/conf.d/example.com.conf

server {
    listen 80;
    server_name www.example.com example.com;
    include snippets/letsencrypt.conf;
    return 301 https://$host$request_uri;
}
server {
    listen 443 ssl http2;
    server_name www.example.com;
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
    include snippets/ssl.conf;
    include snippets/letsencrypt.conf;
    return 301 https://example.com$request_uri;
}
server {
    listen 443 ssl http2;
    server_name example.com;
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
    include snippets/ssl.conf;
    include snippets/letsencrypt.conf;
    # . . . other code
}
With the configuration above we are forcing HTTPS and redirecting the www to non www version.
 
Finally, reload the Nginx service for changes to take effect:
sudo systemctl reload nginx

Auto-renewing Let’s Encrypt SSL certificate

Let’s Encrypt’s certificates are valid for 90 days. To automatically renew the certificates before they expire, we will create a cronjob which will run twice a day and will automatically renew any certificate 30 days before its expiration.
 
Run the crontab command to create a new cronjob:
$ sudo crontab -e

Paste the following lines:

0 */12 * * * root test -x /usr/bin/certbot -a ! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew --renew-hook "systemctl reload nginx"
Save and close the file.
 
To test the renewal process, you can use the certbot command followed by the --dry-run switch:
$ sudo certbot renew --dry-run

If there are no errors, it means that the test renewal process was successful.

Conclusion

In this tutorial, you used the Let’s Encrypt client, certbot to download SSL certificates for your domain. You have also created Nginx snippets to avoid duplicating code and configured Nginx to use the certificates. At the end of the tutorial you have set up a cronjob for automatic certificate renewal.
 
If you want to know more about how to use Certbot, their documentation is a good starting point.

Related Posts

How to Install MongoDB on RHEL 8 Linux

How to Install MongoDB on RHEL 8 Linux

MongoDB is an open-source and free NoSQL document based database system. Nowadays, it is prevalent as most application developers are using MongoDB, which can handle big data. As a MongoDB is a NoSQL database, It stores data in JSON-like documents where fields can...

How to Install Python 3 on RHEL 8 (Red Hat Enterprise Linux)

How to Install Python 3 on RHEL 8 (Red Hat Enterprise Linux)

Python is one of the most popular and easy to code programming language nowadays, because of its simplicity and easy to code. It is now very popular among beginners and experienced computer programmers or developers. It is use to develop any kinds of...

How to Install MongoDB on RHEL 7 Linux

How to Install MongoDB on RHEL 7 Linux

MongoDB is an open-source and free NoSQL document based database system. Nowadays, it is prevalent as most application developers are using MongoDB, which can handle big data. As a MongoDB is a NoSQL database, It stores data in JSON-like documents where fields can...

How to Install OpenCV on RHEL 8 (Red Hat Enterprise Linux)

How to Install OpenCV on RHEL 8 (Red Hat Enterprise Linux)

OpenCV (Open Source Computer Vision Library) is an open-source computer vision and machine learning software library. OpenCV was built to provide a common infrastructure for computer vision applications and to accelerate the use of machine perception in commercial...

Follow Us

Our Communities

More on Redhat

The Ultimate Managed Hosting Platform
Load WordPress Sites in as fast as 37ms!

0 Comments

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

5 × three =

Shares