Skip to content

Instantly share code, notes, and snippets.

@masasdani

masasdani/letsencrypt-nginx-centos.md

Last active May 26, 2021 13:00
Show Gist options
  • Star 9 You must be signed in to star a gist
  • Fork 8 You must be signed in to fork a gist
  • Save masasdani/7c94ffa8f66ede79f06a5525dceb05e3 to your computer and use it in GitHub Desktop.
Save masasdani/7c94ffa8f66ede79f06a5525dceb05e3 to your computer and use it in GitHub Desktop.
Download ZIP
letsencyript SSL nginx proxy centos 7
Raw
letsencrypt-nginx-centos.md

Install Letsencrypt Nginx Centos 7

install certbot

  sudo yum install epel-release
  sudo yum update
  sudo yum install certbot

install nginx

  sudo yum install nginx
  sudo systemctl start nginx

config firewall

if firewall exist on centos do :

  sudo firewall-cmd --permanent --add-service=http --add-service=https
  sudo firewall-cmd --reload
  sudo firewall-cmd --list-services
  dhcpv6-client http ssh https

create certbot

  sudo systemctl stop nginx
  sudo certbot certonly -d <domain_names>
  sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

update nginx config

  server {
     listen 80;
     server_name <domain-name>;
     return 301 https://$server_name$request_uri;
  }

  server {
      listen	 443 ssl;
      server_name  <domain-name>;

      ssl_certificate /etc/letsencrypt/live/<domain-name>/fullchain.pem;
      ssl_certificate_key /etc/letsencrypt/live/<domain-name>/privkey.pem;
      ssl_session_cache shared:SSL:1m;
      ssl_session_timeout  10m;
      ssl_ciphers HIGH:!aNULL:!MD5;
      ssl_prefer_server_ciphers on;
      ssl_dhparam /etc/ssl/certs/dhparam.pem;

      location / {
          proxy_set_header Host	   $host;
          proxy_set_header X-Real-IP  $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_pass http://localhost:8080;
      }

  }

update local connection permission on centos

  /usr/sbin/setsebool httpd_can_network_connect true

start nginx

  sudo systemctl start nginx

create SSL auto renew

letsencryst has an expired data, create renew script to auto renew

  sudo nano /etc/cron.daily/letsencrypt-renew

update script

  #!/bin/sh
  if certbot renew > /var/log/letsencrypt/renew.log 2>&1 ; then
     nginx -s reload
  fi
  exit

start update 2 times a day

  sudo chmod +x /etc/cron.daily/letsencrypt-renew
  01 02,14 * * * /etc/cron.daily/letsencrypt-renew

Manual renew

  sudo systemctl stop nginx
  certbot renew
@groggu
Copy link

groggu commented Sep 4, 2018

Question - if this script is in the /etc/cron.daily directory, why do you also have to schedule it twice a day?

@taoxuau
Copy link

taoxuau commented Jul 21, 2019

I have this script in the /etc/cron.daily directory, but it's not working until I found some PAM ERROR in /var/log/cron. Setting a new password for root can fix it. See https://scottlinux.com/2015/03/03/pam-error-authentication-token-is-no-longer-valid/ for more details.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment