Let's Encrypt
This is a short tutorial on how to use NGINX + LetsEncrypt as an SSL/TLS enabled load-balancer.
Firewall
Configure the firewall:
sudo firewall-cmd --permanent --zone=public --add-service=http
sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd --reload
SELinux
This gets me every time. Let's turn it off!
sudo setenforce 0
sudo sed -i --follow-symlinks 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/sysconfig/selinux
Install NGINX
Install NGINX:
sudo yum-config-manager --enable ol7_developer_EPEL
sudo yum -y install nginx
Start NGINX:
sudo systemctl enable nginx
sudo systemctl start nginx
LetsEncrypt
Installing Certbot via YUM always gives me grief. I've discovered this works better:
sudo yum -y install python-pip
sudo pip install --upgrade pip
sudo pip install -U certbot
Warning, when running 'certbot', you may get an error similar to:
In that case, uninstall 'pyOpenSSL' via 'yum' and reinstall it via 'pip'.
sudo yum -y remove pyOpenSSL
sudo pip install pyOpenSSL==16.2.0
Make sure your DNS entries are correct and that you've opened the HTTP/S ports.
Perform a dry run of certbot to see if it's working. (Use your own domain names.)
sudo certbot certonly --dry-run --nginx \
-d example.com \
-d my.example.com
Is the dry run successful? If so, run it for real:
sudo certbot --nginx \
-d insight.wiki \
-d oracle.insight.wiki
It will ask you some questions. Use common sense.
CRON
Let's configure a cron job to keep the certificates fresh. Type:
crontab -e
Add the line:
52 0,12 * * * root certbot renew --renew-hook 'service nginx reload'
You shouldn't have to, but sometimes it's nice to restart the cron service:
service crond restart
Configure NGINX
Certbot should have made some configuration changes to the nginx.conf file. Let's verify it works:
sudo nginx -t
Let's see what's in it...
less /etc/nginx.conf
Yuck, what a mess! We can do better.
Here's an example
to get you started.Once you have it the way you want it, reload the nginx configuration:
service nginx reload
Test it out with a web browser.
Bad gateway error? Take a look at the log file: /var/log/nginx/error.log
Success? Congratulations!