Jichiduo.com
0%

Install free Let's Encrypt SSL certificate on Nginx by acme.sh

Posted on Edited on In

For the personal website like this site, if you want to secure your website, there is a free Let’s Encrypt SSL certificate you can choose.

On CentOS7 and the web server is Nginx, you can install Let’s Encrypt SSL certificate by the following steps:

Install acme.sh

Why choose this and not the official recommended certbot , because certbot need to install snapd first, and it is not easy to install on CentOS7. It will install a squashfs on your system, but on my CentOS7 after installed , system will not boot up. So I choose this acme.sh. to complete this installation.

1
curl https://get.acme.sh | sh -s [email protected]

Create alias

1
alias acme.sh=~/.acme.sh/acme.sh

Issue a certificate

You can use the following command to issue a certificate, remember to change the domain name to your own domain name and webroot to your own webroot.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
[[email protected] ~]# acme.sh --issue -d jichiduo.com -d www.jichiduo.com --webroot /var/www/jichiduo/
Sleep 10 and retry.
Using CA: https://acme.zerossl.com/v2/DV90
Create account key ok.
No EAB credentials found for ZeroSSL, let's get one
Registering account: https://acme.zerossl.com/v2/DV90
Registered
ACCOUNT_THUMBPRINT='mQBmCPjJMynTXXDo7WhlbtnhmJ3jN8zIUv3mf9P7DBk'
Creating domain key
The domain key is here: /root/.acme.sh/jichiduo.com/jichiduo.com.key
Multi domain='DNS:jichiduo.com,DNS:www.jichiduo.com'
Getting domain auth token for each domain
Getting webroot for domain='jichiduo.com'
Getting webroot for domain='www.jichiduo.com'
Verifying: jichiduo.com
Processing, The CA is processing your order, please just wait. (1/30)
Success
Verifying: www.jichiduo.com
Processing, The CA is processing your order, please just wait. (1/30)
Success
Verify finished, start to sign.
Lets finalize the order.
Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/pBw-Xmw4uGoEhsQymi2E4g/finalize'
Order status is processing, lets sleep and retry.
Retry after: 15
Polling order status: https://acme.zerossl.com/v2/DV90/order/pBw-Xmw4uGoEhsQymi2E4g
Downloading cert.
Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/cHjNdPdEP8Ef27UeiPY65A'
Cert success.
-----BEGIN CERTIFICATE-----
certificate content
-----END CERTIFICATE-----
Your cert is in: /root/.acme.sh/jichiduo.com/jichiduo.com.cer
Your cert key is in: /root/.acme.sh/jichiduo.com/jichiduo.com.key
The intermediate CA cert is in: /root/.acme.sh/jichiduo.com/ca.cer
And the full chain certs is there: /root/.acme.sh/jichiduo.com/fullchain.cer

Modify the Nginx configuration

1
vi /etc/nginx/nginx.conf

in the config file, add the following lines or modify your existing configuration.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# Settings for a TLS enabled server.

    server {
        listen       443 ssl;
        server_name  jichiduo.com www.jichiduo.com;
        root         /var/www/jichiduo;
        ssl_certificate "/root/.acme.sh/jichiduo.com/fullchain.cer";
        ssl_certificate_key "/root/.acme.sh/jichiduo.com/jichiduo.com.key";
        ssl_session_cache shared:SSL:20m;
        ssl_session_timeout  60m;
        ssl_prefer_server_ciphers on;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

Restart Nginx

Restart your Nginx or Force Reload it

1
systemctl restart nginx

Or

1
systemctl force-reload nginx

Check your website

Now open browser and visit your website, you should see the lock icon beside your website url.

Renew the certificate

You can use the following command to renew the certificate.

1
acme.sh --renew -d jichiduo.com -d www.jichiduo.com --force

Ref