How to Secure Nginx on CentOS 8 with a Free SSL/TLS Certificate
In today’s digital landscape, securing your website isn’t just an option—it’s a necessity. An SSL/TLS certificate encrypts the connection between your server and your visitors, protecting sensitive data, building user trust, and even boosting your search engine rankings. If you’re running a web server with Nginx on CentOS 8, you can implement robust security for free using Let’s Encrypt.
This guide will walk you through the entire process of setting up a free, auto-renewing SSL/TLS certificate on your Nginx server.
Prerequisites
Before you begin, ensure you have the following in place:
- A running CentOS 8 server with a non-root user that has
sudoprivileges. - Nginx installed and configured.
- A registered domain name (e.g.,
yourdomain.com) with DNS A records pointing to your server’s public IP address. This is crucial for the validation process. - Your server’s firewall configured to allow both HTTP (port 80) and HTTPS (port 443) traffic. You can enable this with the following commands:
bash
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload
Step 1: Install the Certbot Client
The easiest way to obtain and manage Let’s Encrypt certificates is by using Certbot. This client automates the process of fetching, deploying, and renewing SSL/TLS certificates.
To install Certbot and its Nginx plugin on CentOS 8, use the dnf package manager:
sudo dnf install certbot python3-certbot-nginx
This command installs both the core Certbot application and the specific plugin that allows it to automatically configure Nginx.
Step 2: Obtain Your SSL/TLS Certificate
With Certbot installed, you can now request a certificate for your domain. The Nginx plugin makes this incredibly straightforward.
Run the following command, replacing yourdomain.com and www.yourdomain.com with your actual domain names:
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com
This command tells Certbot to use the Nginx plugin (--nginx), and to issue a certificate that covers both the root domain and the www subdomain.
Certbot will guide you through a few simple questions:
- Enter your email address: This is used for urgent renewal notices and security alerts.
- Agree to the Terms of Service: You must agree to proceed.
- Share your email (optional): You can choose whether to share your email with the Electronic Frontier Foundation (EFF).
After you’ve answered these prompts, Certbot will communicate with the Let’s Encrypt servers to verify that you control the domain. Once verification is complete, it will ask how you want to handle HTTP traffic.
You will be presented with two choices:
- No redirect: Keep HTTP traffic as it is.
- Redirect: Automatically redirect all HTTP requests to HTTPS.
For maximum security and SEO benefits, we strongly recommend choosing the redirect option. This ensures all visitors use a secure connection.
After you make your choice, Certbot will automatically update your Nginx server block configuration, install the certificate, and reload Nginx to apply the changes. You should see a confirmation message indicating that your site is now successfully secured.
Step 3: Verify Automatic Certificate Renewal
Let’s Encrypt certificates are valid for 90 days. To save you the trouble of manual renewals, the Certbot package automatically creates a systemd timer or cron job that runs twice a day. This job checks for any certificates that are due to expire within the next 30 days and renews them.
You can verify that the auto-renewal process is working correctly by performing a “dry run”:
sudo certbot renew --dry-run
If the command completes without any errors, your automatic renewal setup is fully functional. You won’t need to take any further action, as Certbot will handle the renewals silently in the background.
Step 4: Enhancing Security with Stronger Settings
Certbot provides a solid default configuration, but for an even more secure server, you can generate a stronger Diffie-Hellman (DH) group. This improves the security of the key exchange process, a feature known as Perfect Forward Secrecy.
Generate a 2048-bit DH file with the following command:
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
Note: This process can take a few minutes.
Next, open your Nginx server block configuration file (usually located in /etc/nginx/conf.d/ or /etc/nginx/sites-available/). Add the following line inside the server block that contains your SSL settings:
ssl_dhparam /etc/ssl/certs/dhparam.pem;
Your final SSL-related configuration in the server block should look something like this:
server {
listen 443 ssl http2;
server_name yourdomain.com www.yourdomain.com;
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/ssl/certs/dhparam.pem; # Our new DH param file
# ... rest of your server configuration
}
Before applying the changes, always test your Nginx configuration for syntax errors:
sudo nginx -t
If the test is successful, reload Nginx to apply the new, more secure settings:
sudo systemctl reload nginx
Final Step: Test Your Configuration
Your server is now secured with a trusted SSL/TLS certificate. To confirm everything is working and to get a detailed security report, visit the Qualys SSL Labs SSL Server Test and enter your domain name. A properly configured server should achieve an A or A+ rating, giving you confidence in your website’s security posture.
By following these steps, you have successfully fortified your Nginx server, protecting your data and your users while improving your site’s credibility and search engine visibility.
Source: https://kifarunix.com/configure-nginx-with-ssl-tls-certificates-on-centos-8/
