fbpx

NGINX / Security / Uncategorized

Free Lifetime SSL for NGINX using LetsEncrypt, without downtime

by , , revisited on


We have by far the largest RPM repository with NGINX module packages and VMODs for Varnish. If you want to install NGINX, Varnish, and lots of useful performance/security software with smooth yum upgrades for production use, this is the repository for you.
Active subscription is required.

Let’s Encrypt is the most popular free SSL certificate provider.
Their certificates work just as well as the commercial ones, and moreover, they can be issued instantly on your server, helping you avoid the unnecessary hassle of CSR generations and other related routines.

You can use the command line to install a free lifetime SSL certificate from Let’s Encrypt on a CentOS or Red Hat Enterprise Linux (RHEL) system.
With the help of Cloudflare as the DNS provider and certbot’s Cloudflare DNS plugin, this task is quite straightforward.

Here is a step-by-step guide to help you through the process of generating a free SSL certificate without any downtime.
For this guide, we assume that you run NGINX as your webserver of choice.

Install the certbot package

First, you will need to install the certbot package, which is used to interact with the Let’s Encrypt API and fetches generated certificates onto your server.
On CentOS/RHEL, this package is part of the EPEL repository. You can ensure it is set up on your system by running:

sudo yum -y install epel-release

Now you can install the certbot itself by running the following command:

sudo yum -y install certbot

Install the DNS validation plugin

When you generate LetsEncrypt certificates on your server, you must verify domain ownership.
This can be done through the command line as well. There are various DNS providers which integrate quite well with the certbot.
Cloudflare is one example of those.

So in this next step, you will need to install the Cloudflare DNS plugin for certbot, which is used to verify domain ownership through Cloudflare API and DNS.
You can do this by running the following command:

sudo yum -y install python3-certbot-dns-cloudflare

Next, you will need to create a Cloudflare API token with the “DNS” permission, you can find this under the API section of your Cloudflare account.

Setting up Cloudflare API credentials

To validate the domain ownership the certbot plugin uses Cloudflare API.
It is recommended to set up and use an API token for this.

  • Log in to your Cloudflare account, then proceed to the API Tokens page.
  • Click “Create Token” button, then choose “Edit zone DNS” and click the “Use template” button.
  • The Token needed by Certbot requires Zone:DNS:Edit permissions for only the domains you need certificates for

Copy the token somewhere because it is displayed only once.

After this, create the credentials file on your server, at /root/.cloudflare.ini with the contents:

# Cloudflare API token used by Certbot
dns_cloudflare_api_token = xxxxxxxxxxxxxxx

Where xxxxxxxxxxxxxxx is your Cloudflare API token.

Generating the certificate

Now you can run certbot to request a new SSL certificate using the Cloudflare DNS plugin.

In this example, we will be requesting a certificate for the domain example.com, from LetsEncrypt.
There are other TLS providers that certbot supports, for example, ZeroSSL. However they do not support DNS-based validation.
So unless you have a specific reason to use ZeroSSL (support old TLS clients), stick to LetsEncrypt.

As the root user, run:

certbot --dns-cloudflare --dns-cloudflare-credentials ~/.cloudflare.ini -d example.com,www.example.com --email name@example.com --non-interactive --agree-tos --deploy-hook '/usr/bin/systemctl reload nginx' certonly

Be sure to replace name@example.com with your actual email address, as well as specify your domain accordingly instead of example.com.
Note how we specify both non-www and www domains in our command.

After certbot has verified your domain, it will fetch the generated certificates for you, and output the location of the new SSL certificate on your server.
The certificate and private key will typically be located in /etc/letsencrypt/live/example.com/.

Configure NGINX with your new SSL certificate

You can configure your web server to use the new SSL certificate by modifying the appropriate configuration file.
For NGINX, you would need to edit the server configuration file for your domain and specify the locations of the new SSL certificate and private key.

For example, edit /etc/nginx/sites-available/example.com.conf and add the certificate paths:

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    ssl_stapling on;
    ssl_stapling_verify on;

    ssl_certificate /etc/letsencrypt/live/getpagespeed.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/getpagespeed.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/getpagespeed.com/chain.pem;
    ...
}

As you can see from the above configuration, we have also enabled the SSL stapling feature, which provides a performance boost.
It allows NGINX to directly provide certificate revocation status to clients.

Apply the certificate

The process of applying the certificate involves testing your NGINX configuration for being able to load it.
The standard way to test your NGINX configuration is simply to run nginx -t and watch out for any errors.
Note that nginx -t alone does not affect your website downtime, so you can continuously fix any outstanding issues from the output, until receiving no errors.

Finally, you can apply your new NGINX configuration, and load the new certificate by running:

sudo systemctl reload nginx

Automatic renewals

The SSL certificate issued by Let’s Encrypt is valid for 90 days, but you can use certbot‘s built-in renewal feature to automatically renew the certificate before it expires.

systemctl enable certbot-renew.timer
systemctl start certbot-renew.timer

Since the renewal process is completely seamless for website visitors and has no downtime, the certificates are essentially valid for a lifetime, and you no longer need to purchase or renew anything manually.

To recap, by using certbot Cloudflare DNS plugin, you don’t have to stop your web server to verify domain ownership as the plugin will add the necessary TXT record to your Cloudflare DNS, so that you can get the SSL certificate without any downtime.

By following the above steps, you should now have a fully functioning SSL certificate installed on your web server, and you can be confident that your website is secure and protected.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.