How to permanently use the free SSL certificate issued by let’s encrypt and configure nginx to upgrade the website from insecure HTTP to secure HTTPS

Time:2022-1-11

If your site has a strong demand for HTTPS – for security needs or wechat applets (HTTPS is required), and you don’t want to spend thousands of dollars a year to buy paid SSL certificates, using the free SSL certificate issued by let’s encrypt may be a great choice. Let’s talk about how to install and use let’s encrypt and configure nginx to achieve automatic renewal and permanent free.
How to permanently use the free SSL certificate issued by let's encrypt and configure nginx to upgrade the website from insecure HTTP to secure HTTPS

1、 Preparatory work

Before installation, you need to open port 443

#View open ports
firewall-cmd --zone=public --list-ports 
#80/tcp 3306/tcp
#When there is no 443, add 443 port
firewall-cmd --zone=public --add-port=443/tcp --permanent
#Restart takes effect. Restart after adding
firewall-cmd --reload
#Check the open port again and find that there are already 443, and the preparation is completed
firewall-cmd --zone=public --list-ports 
#80/tcp 3306/tcp 443/tcp

2、 Installation configuration

1. Install cerbot. Cerbot is a management client recommended by let’s encrypt and can be renewed automatically

yum install certbot -y

2. Generate certificate

2.1 this is generated when you don’t know your website root directory

#Disable nginx first
sudo nignx -s stop
#To generate a certificate again, you need to modify it according to your own domain name
certbot certonly --standalone -d domain.com -d www.domian.com

2.2 this is generated when you know the root directory of the website

#The root directory here is / var / www / domain
certbot certonly --webroot -w /var/www/domain -d domain.com -d www.domain.com

Not surprisingly, the certificate is generated, which is usually placed in the / etc / letsencrypt / live directory

3. Configure nginx

#Modify the part of listen 80 according to its own domain name as follows, and remove the parts such as location / and location / API /
    server {
        listen       80;
        listen       [::]:80;
        server_name www.domain.com domain.com;
        add_header Strict-Transport-Security max-age=15768000;
        return 301 https://$server_ name$request_ uri;  # Redirect to HTTPS
    }

#Add a listen 443 and make the following modifications according to your domain name. Copy the location / and location / API / in the original listen 80
  server {
    listen 443 ssl http2;
    server_name www.domain.com domain.com;
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    root /var/www/domain;
    ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:!ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:HIGH:!RC4-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!CBC:!EDH:!kEDH:!PSK:!SRP:!kECDH;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 60m;

    location / {
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Nginx-Proxy true;
        proxy_cache_bypass $http_upgrade;
        proxy_ pass  http://nuxtapp # Reverse proxy nuxt
    }

    location /api/ {
        proxy_pass http://127.0.0.1:8000;
        proxy_set_header Host $host;
    }

    # Load configuration files for the default server block.
    include /etc/nginx/default.d/*.conf;

    error_page 404 /404.html;
    location = /404.html {
    }

    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
    }
  }

5. Restart nginx

sudo nginx -s reload

Refresh the page, HTTPS has worked
How to permanently use the free SSL certificate issued by let's encrypt and configure nginx to upgrade the website from insecure HTTP to secure HTTPS

6. There is still a step to go. Let’s encrypt expires in 3 months by default. We need to set the cerbot client to automatically update the certificate. Crontab is needed here

#Terminal input crontab - e
crontab -e
#Enter I, enter the insertion mode, and write the update command in the following format, which means update at 3 a.m. on the 1st of each month
0 0 3 * * certbot renew --force-renew --renew-hook "nginx -s reload"
#Press and hold shfit to enter
:wq

OK, it’s done! Original link:https://www.helloque.site/art…