Linux, Web Server

Let’s Encrypt Cert & Nginx (Using a Web Proxy) on Centos 6.x

Leave a comment

This was done on Centos 6 where prebuilt ‘certbot’ packages are not available. On Centos 7, install ‘certbot’ from the EPEL repo.

cd ~root;
mkdir certbot;
wget https://dl.eff.org/certbot-auto;
chmod 755 certbot-auto;
./certbot-auto;

This installs packages, including gcc, which you may want to uninstall as it’s bad practice to have compilers on a external facing (public) Web server.

On my server I have a different configuration file for each server we’re proxying for. These are in /etc/nginx/conf.d/ and using a naming convention of:

domainname.domain.conf

For example, example.com would be:

example.com.conf

Edit your config file and add this after location / { … } :

location /.well-known {
alias /tmp/static/.well-known;
}

Then:

mkdir /tmp/static/;

Run certbot:

./certbot-auto certonly

Selection option 2, enter your domain, then enter 1. then enter the path to the webroot as ‘/tmp/static/’.

How would you like to authenticate with the ACME CA?

——————————————————————————-

1: Spin up a temporary webserver (standalone)

2: Place files in webroot directory (webroot)

——————————————————————————-

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2

Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’

to cancel):example.com

Obtaining a new certificate

Performing the following challenges:

http-01 challenge forexample.com

Select the webroot for example.com:

——————————————————————————-

1: Enter a new webroot

——————————————————————————-

Press 1 [enter] to confirm the selection (press ‘c’ to cancel): /tmp/static/

** Invalid input **

Press 1 [enter] to confirm the selection (press ‘c’ to cancel): 1

Input the webroot for biogrids.org: (Enter ‘c’ to cancel):/tmp/static/

Waiting for verification…

Cleaning up challenges

IMPORTANT NOTES:

– Congratulations! Your certificate and chain have been saved at

/etc/letsencrypt/live/biogrids.org/fullchain.pem. Your cert will

expire on 2017-08-03. To obtain a new or tweaked version of this

certificate in the future, simply run certbot-auto again. To

non-interactively renew *all* of your certificates, run

“certbot-auto renew”

– If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate

Donating to EFF: https://eff.org/donate-le

Then edit your site’s NGinx config to point to the certs, replace example.com with your domain:

# using letsencrypt cert:
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

Reload Nginx’s configure:

service nginx reload

Or on systemd systems:

systemctl  reload nginx.service

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.