How to Install Let’s Encrypt SSL for NGINX on Rocky Linux 8

Security is one of the top-of-mind concerns for website owners, more especially, if you are running an eCommerce store or a site that accepts users’ confidential information such as usernames and passwords. The plain HTTP protocol is insecure as data is sent in plain text and hackers can eavesdrop on the communication sent to and from the web server.

To overcome this risk, it’s recommended to secure a web server using a TLS/SSL certificate. This is a cryptographic digital certificate that encrypts your web server and ensures data exchanged with the webserver is encrypted.

Let’s Encrypt SSL certificate is a digital certificate provided by Let’s Encrypt CA ( Certificate Authority) to secure a web server. It’s a free TLS/SSL certificate that is valid for only 90 days, whereupon renewal is required before expiry. It’s beneficial for startups or individuals who cannot afford a premium SSL certificate for their blogs or websites.

In this guide, we will demonstrate how you can install the Let’s Encrypt SSL/TLS certificate for NGINX on Rocky Linux 8

What you need

First, ensure you have an instance of Rocky Linux 8 server on the cloud or on premise and already configured with a sudo user.

Next, ensure that you have a Fully Qualified Domain Name (FQDN ) pointing to your server’s public IP. To achieve this, head over to your domain registrar, and in the DNS settings, configure the A record to point the domain name to the server’s Public IP. Below is a snippet of my A record.

For this guide, we are using the domain name linuxtechgeek.info which is pointing to the server’s IP address 34.134.239.201.

Domain-DNS-Record-Linux

With that out of the way, let us get started!

Step 1)  Install Nginx Web Server

We start off with the installation of Nginx webserver on Rocky 8. But first, let’s upgrade the system package and update the repositories.

$ sudo dnf update

The update can take a while, so be patient until it completes.

Once the upgrade is complete, reboot the system once and then install nginx webserver as follows:

$ sudo dnf install nginx

Install-nginx-on-rocky-linux8

By default, nginx doesn’t start automatically. So, go the extra mile and start the nginx service.

$ sudo systemctl start nginx

Next, enable the webserver to start on boot time or upon a reboot.

$ sudo systemctl enable nginx

The webserver should now be running as expected and listening on port 80. You can confirm this by running the command

$ sudo systemctl status nginx

Nginx-Service-Status-Rocky-Linux8

You can also verify this from a web browser. But first, allow HTTP traffic (both HTTP & HTTPS) on the firewall by running the commands shown

$ sudo firewall-cmd --add-service=http --permanent
$ sudo firewall-cmd --add-service=https --permanent

Then reload the firewall to effect the changes.

$ sudo firewall-cmd --reload

Then browse your server’s IP address or domain name

http://domain_name

Nginx-default-page-rocky-linux

Step 2)  Create a Document root for the domain

We are done installing the webserver. The next step is to create a directory that will accommodate the domain’s files. We will create the domain’s directory in the linuxtechgeek.info path as shown using the mkdir command

$ sudo mkdir -p /var/www/linuxtechgeek.info/html

The domain’s document root is where you would find the website files including HTML, CSS, JavaScript, and images. For purposes of demonstration, we are going to create a simple index.html file.

$ sudo vi /var/www/linuxtechgeek.info/html/index.html

Next, paste the following sample HTML code and save the changes.

<!DOCTYPE html>
<html>
    <head>
        <title>Welcome to linuxtechgeek.info</title>
    </head>
    <body>
  <h1>Hey Guys! Our Nginx server block is working.</h1>
    </body>
</html>

Next, use chown command to set the ownership of the domain’s directory as follows to avert getting permissions problems.

$ sudo chown -R nginx /var/www/linuxtechgeek.info/

Next, set the permissions such that group and global users have read and execute rights to the domain’s files.

$ sudo chmod -R 755 /var/www/linuxtechgeek.info/

We are done configuring the document root for the domain and setting the right ownership and permissions. Let’s proceed and configure the Server block file.

Step 3)  Create Nginx Server Block

A Nginx server block is the equivalent of an apache virtualhost. The server block is where you define the site’s settings and tell the nginx webserver where to locate the domain’s files.

The server block configuration file is created in the /etc/nginx/conf.d directory. We will create ours in the same directory as follows.

$ sudo vi /etc/nginx/conf.d/linuxtechgeek.info.conf

Copy and paste the following lines. Be sure to substitute the linuxtechgeek.info domain name with your own domain.

server {
    listen 80;
    server_name linuxtechgeek.info www.linuxtechgeek.info;
    root /var/www/linuxtechgeek.info/html;
    index index.php index.html index.htm;
    access_log /var/log/nginx/linuxtechgeek.info.access.log;
    error_log /var/log/nginx/linuxtechgeek.info.error.log;
}

Save the changes and exit the server block file.

Then confirm that all the Nginx configurations are okay. If all is well, you should get the output displayed.

$ sudo nginx -t

Nginx-t-command-output-rocky-linux

For Nginx to be aware of all the changes including the domain’s document root and the server block file, restart the webserver.

$ sudo systemctl restart nginx

Then confirm the running status of Nginx.

$ sudo systemctl status nginx

Next, set SELinux to permissive mode using the command:

$ sudo setenforce permissive

To confirm that it is set to permissive mode, run the command:

$ sudo getenforce

Set-SELinux-Permissive-Mode-Rocky-Linux

Run below sed command to permanently set the selinux mode as permissive.

$ sudo sed -i --follow-symlinks 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/sysconfig/selinux

To confirm that the server block file has been correctly configured, once again, browse your domain name.

http://domain_name

You should get a positive confirmation as shown below.

Nginx-Customize-Web-Page-Rocky-Linux

Step 4)  Install Certbot

The only step left is to install Let’s Encrypt and secure the Nginx webserver. However, to accomplish this, we need to install certbot. Written in Python and developed by the Electronic Frontier Foundation, Certbot is a fully featured client for the Let’s Encrypt CA. It is run on the webserver and allows you to automatically set up an SSL certificate for your webserver in a single command.

First, install the EPEL repository which provides additional and high-quality packages for RHEL-based distros.

$ sudo dnf install -y epel-release

Once installed, install certbot and certbot module for Nginx.

$ sudo dnf install certbot python3-certbot-nginx

This installs certbot, certbot module for Nginx host of other packages and dependencies.

Install-Certbot-with-dnf-command-rocky-linux

Step 4)  Install Let’s Encrypt SSL/TLS certificate

Finally, run the certbot client to install the SSL certificate

$ sudo certbot --nginx

This takes you through a series of prompts. First, provide the email address that will be used by EFF to send you renewal and security updates. Then accept the Terms of service by pressing ‘Y’. If you desire, you can press ‘Y’ to allows EFF to send you regular updates concerning their efforts in securing the web, news, and campaigns.  Finally, select the domain names to encrypt. In our case, we pressed the ‘ENTER’ button to select all the domain names.

Certbot will fetch the SSL/TLS certificate and deploy it for the domain names specified. This enables HTTPS protocol for your domain, in effect encrypting traffic exchanged with the webserver.

Certbot-nginx-Rocky-Linux

To confirm that HTTPS has been enabled, head back to your browser and reload it. This time around, you will notice a padlock icon at the URL bar – an indication that the site is encrypted.

Nginx-over-https-Rocky-Linux

Click on the icon and then select ‘Certificate’.

Show-SSL-Certificate-Web-Page

This displays the certificate details as provided

SSL-Certificate-Details-Web-Page

Further, you can test the status of your webserver at SSL Labs which is a site that carries out a deep analysis of a web server over the internet. You should get an A rating as shown.

Check-SSL-Certificate-Grade

Step 5) Managing the SSL certificate renewal

Let’s Encrypt certificate is valid for 90 days, however, Let’s encrypt recommends that you renew the certificate every 60 days. Email notifications will be sent to you the last 20 days to expiry with the frequency going up the last 10 days.

You can manually renew the certificate as follows.

$ sudo certbot renew

Thankfully, you can automate the renewal, by adding a new cron job. So, open the crontab file.

$ crontab -e

And add the line shown. Save the changes and exit.

0 0 * * * /usr/bin/certbot renew > /dev/null 2>&1

That’s all. Thank you for coming this far. We have demonstrated how you can install the Let’s Encrypt SSL certificate for Nginx on Rocky Linux 8.

Also Read: How to Setup Highly Available NGINX with KeepAlived in Linux

Posted by WordPress Guru