Let’s Encrypt greatly simplifies server management by automating obtaining certificates and configuring web services to use them. The client is fully-featured and extensible for the Let’s Encrypt Certificate Authority or any other CA that supports the ACME protocol.
On CentOS, the client is available in the Extra Packages for
Enterprise Linux (EPEL) which you will need to first install and update.
You will also need to have nginx installed and running. Of course, if you are adding certificates onto a previously configured web host this would already be installed.
Then install the certbot client itself with the following command.
Once installed, you can use the next command to see test the client is working correctly.
Given that the help command works, the client is good to go. Next, check that your firewall is configured correctly with the instructions below.
Allow HTTP/S at firewall
CentOS 7 has enabled by default relatively strict firewall rules which do not allow HTTP or HTTPS connections to the host. The Let’s Encrypt client requires access to authenticate the domain name and will fail with the default rules.
If you are installing the certificates on a previously configured web host, the required rules are probably already set. Confirm the firewall rules with the --list-services command and continue in the next section with obtaining the certificates.
Enable connections for HTTP and HTTPS services using the following command.
Then reload the firewall rules to apply the changes.
You can check that the rules were added successfully with the command below.
You should see at least the four services enabled as shown above. With the firewall configured, you can continue on with obtaining and installing certificates.
Obtaining a certificate
Let’s Encrypt validates the domain it is installed on similarly to a traditional CA process by identifying the server administrator via a public key. The client generates a new key pair when interacting with the Let’s Encrypt servers for the first time, and then aims to prove to the CA that the host has control over a particular domain by at least one of the two following ways:
- Provisioning a DNS record under the domain in question
- Provisioning an HTTP resource under a well-known URI on the domain
On top of one of the two challenges, the client also must sign a nonce with its private key to prove it controls that key pair.
To help the Let’s Encrypt client accomplish these tasks it supports a number of plugins that can be used to obtain and install certificates. Let’s Encrypt supports automated installation on nginx, the certificates can be easily obtained using the --nginx plugin together with other commands.
The --nginx plugin automates obtaining certificates from the CA when using Nginx web server software. To use this plugin on the command line using the example below. Replace the example domain in red with your own.
The command starts an interactive configuration script that asks a couple of questions to help with managing certificates.
- On the first installation on any specific host, you’ll need to enter a contact email.
- Then go through the Let’s Encrypt Terms of Service and select Agree if you accept the terms and wish to use the service.
- Choose whether you wish to share your email address with the Electronic Frontier Foundation (EFF) for updates on their work.
- Lastly, enable redirection to HTTPS if you wish to fully secure your domain.
If the client was successful at obtaining a certificate you can find a confirmation and certificate expiration date at the end of the client output.
In case you are having problems with the client, make sure you are trying to register a domain or subdomain that currently resolves to your server. Check that you have the administrative privileges to run the commands and that your domain is pointing to the correct IP address.
Renewing a certificate
At the end of the certificate obtaining script, the output shows the certificate’s expiration date which is usually 3 months from the day it was issued. Renewing a certificate is just as easy as obtaining one.
The client will only renew certificates close to their expiry date, but you can test that the renewal works using the --dry-run parameter to simulate the process.
To actually renew certificates, simply leave out the simulation parameter.
Once the renewal is complete, reload your web service to update the configuration to include the new certificates using the following command.
Your certificate is now again valid for another 3 months.
Considering the duration of the certificates, you might wish to automate the renewal with a short script like the example below and make it executable.