Certbot website has explained very well all steps for most of linux OS and situation. You wont get wrong as long as you read the steps carefully. https://certbot.eff.org/
This post is to record those steps on my Nginx web server running on CentOS 7 for my own notes:
Visit Certbot to get instruction
Instruction for Install and Run Certbot
- SSH into the server
SSH into the server running your HTTP website as a user with sudo privileges.
- Enable EPEL repo
You’ll need to enable the EPEL (Extra Packages for Enterprise Linux) repository.
Follow these instructions at the Fedora wiki to enable EPEL. - Enable the optional channel
If you’re using RHEL or Oracle Linux, you’ll also need to enable the optional channel. On EC2, RHEL users can enable the optional channel by running the following command, substituting your EC2 region for REGION in the command:
- yum -y install yum-utils
- yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional
- Install Certbot
Run this command on the command line on the machine to install Certbot.
sudo yum install certbot python2-certbot-nginx
- Choose how you’d like to run Certbot
- Either get and install your certificates…
Run this command to get a certificate and have Certbot edit your Nginx configuration automatically to serve it, turning on HTTPS access in a single step.
sudo certbot --nginx
- Or, just get a certificate
If you’re feeling more conservative and would like to make the changes to your Nginx configuration by hand, run this command.
sudo certbot certonly --nginx
- Either get and install your certificates…
- Set up automatic renewal
We recommend running the following line, which will add a cron job to the default crontab.
echo "0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q" | sudo tee -a /etc/crontab > /dev/null
- Confirm that Certbot worked
To confirm that your site is set up properly, visit https://yourwebsite.com/ in your browser and look for the lock icon in the URL bar. If you want to check that you have the top-of-the-line installation, you can head to https://www.ssllabs.com/ssltest/.
Before running Certbot to apply the certificate:
After applied certbot changes:
Output of running Certbot:
[root@centos7-docker-portainer docker2.51sec.org]# certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: docker2.51sec.org
2: docker2.itprosec.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 2
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for docker2.itprosec.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/conf.d/docker2.itprosec.com.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Future versions of Certbot will automatically configure the webserver so that all requests redirect to secure HTTPS access. You can control this behavior and disable this warning with the --redirect and --no-redirect flags.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://docker2.itprosec.com
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=docker2.itprosec.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/docker2.itprosec.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/docker2.itprosec.com/privkey.pem
Your cert will expire on 2020-08-10. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
[root@centos7-docker-portainer docker2.51sec.org]#
Changes on Web Site Configuration File
Before CertBot installed certificate on docker2.51sec.org
[root@centos7-docker-portainer conf.d]# cat docker2.51sec.org.conf server { listen 80; server_name docker2.51sec.org; location / { proxy_pass http://127.0.0.1:9000; proxy_redirect off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } }
After ssl certificate installed
[root@centos7-docker-portainer conf.d]# cat docker2.51sec.org.conf server { server_name docker2.51sec.org; location / { proxy_pass http://127.0.0.1:9000; proxy_redirect off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } listen 443 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/docker2.51sec.org/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/docker2.51sec.org/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot } server { if ($host = docker2.51sec.org) { return 301 https://$host$request_uri; } # managed by Certbot listen 80; server_name docker2.51sec.org; return 404; # managed by Certbot }[root@centos7-docker-portainer conf.d]#
The certificates location is @ /etc/letsencrypt/:
[root@centos7-docker-portainer /]# cd /etc/letsencrypt/ [root@centos7-docker-portainer letsencrypt]# ls accounts archive csr keys live options-ssl-nginx.conf renewal renewal-hooks ssl-dhparams.pem [root@centos7-docker-portainer letsencrypt]# cd archive/ [root@centos7-docker-portainer archive]# ls docker2.51sec.org [root@centos7-docker-portainer archive]# cd docker2.51sec.org/ [root@centos7-docker-portainer docker2.51sec.org]# ls cert1.pem chain1.pem fullchain1.pem privkey1.pem [root@centos7-docker-portainer docker2.51sec.org]# cd ../../live [root@centos7-docker-portainer live]# ls docker2.51sec.org README [root@centos7-docker-portainer live]# cd docker2.51sec.org/ [root@centos7-docker-portainer docker2.51sec.org]# ls cert.pem chain.pem fullchain.pem privkey.pem README [root@centos7-docker-portainer docker2.51sec.org]#