This was done on Centos 6 where prebuilt ‘certbot’ packages are not available. On Centos 7, install ‘certbot’ from the EPEL repo.
cd ~root;
mkdir certbot;
wget https://dl.eff.org/certbot-auto;
chmod 755 certbot-auto;
./certbot-auto;
This installs packages, including gcc, which you may want to uninstall as it’s bad practice to have compilers on a external facing (public) Web server.
On my server I have a different configuration file for each server we’re proxying for. These are in /etc/nginx/conf.d/ and using a naming convention of:
domainname.domain.conf
For example, example.com would be:
example.com.conf
Edit your config file and add this after location / { … } :
location /.well-known {
alias /tmp/static/.well-known;
}
Then:
mkdir /tmp/static/;
Run certbot:
./certbot-auto certonly
Selection option 2, enter your domain, then enter 1. then enter the path to the webroot as ‘/tmp/static/’.
How would you like to authenticate with the ACME CA?
——————————————————————————-
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
——————————————————————————-
Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’
to cancel):example.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge forexample.com
Select the webroot for example.com:
——————————————————————————-
1: Enter a new webroot
——————————————————————————-
Press 1 [enter] to confirm the selection (press ‘c’ to cancel): /tmp/static/
** Invalid input **
Press 1 [enter] to confirm the selection (press ‘c’ to cancel): 1
Input the webroot for biogrids.org: (Enter ‘c’ to cancel):/tmp/static/
Waiting for verification…
Cleaning up challenges
IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/biogrids.org/fullchain.pem. Your cert will
expire on 2017-08-03. To obtain a new or tweaked version of this
certificate in the future, simply run certbot-auto again. To
non-interactively renew *all* of your certificates, run
“certbot-auto renew”
– If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Then edit your site’s NGinx config to point to the certs, replace example.com with your domain:
# using letsencrypt cert:
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
Reload Nginx’s configure:
service nginx reload
Or on systemd systems:
systemctl reload nginx.service