0 Votes

Let's Encrypt

Last modified by Jeff McDonald on 2021/11/17 07:32

This is a short tutorial on how to use NGINX + LetsEncrypt as an SSL/TLS enabled load-balancer.

Firewall

Configure the firewall:

sudo firewall-cmd --permanent --zone=public --add-service=http
sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd --reload

SELinux

This gets me every time. Let's turn it off!

sudo setenforce 0
sudo sed -i --follow-symlinks 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/sysconfig/selinux

Install NGINX

Install NGINX:

sudo yum-config-manager --enable ol7_developer_EPEL
sudo yum -y install nginx

Start NGINX:

sudo systemctl enable nginx
sudo systemctl start nginx

LetsEncrypt

Installing Certbot via YUM always gives me grief. I've discovered this works better:

sudo yum -y install python-pip
sudo pip install --upgrade pip
sudo pip install -U certbot

Warning, when running 'certbot', you may get an error similar to:

ImportError: 'pyOpenSSL' module missing required functionality. Try upgrading to v0.14 or newer.

In that case, uninstall 'pyOpenSSL' via 'yum' and reinstall it via 'pip'.

sudo yum -y remove pyOpenSSL
sudo pip install pyOpenSSL==16.2.0

Make sure your DNS entries are correct and that you've opened the HTTP/S ports.

Perform a dry run of certbot to see if it's working. (Use your own domain names.)

sudo certbot certonly --dry-run --nginx \
  -d example.com \
  -d my.example.com

Is the dry run successful? If so, run it for real:

sudo certbot --nginx \
  -d insight.wiki \
  -d oracle.insight.wiki

It will ask you some questions. Use common sense.

CRON

Let's configure a cron job to keep the certificates fresh. Type:

crontab -e

Add the line:

52 0,12 * * * root certbot renew --renew-hook 'service nginx reload'

You shouldn't have to, but sometimes it's nice to restart the cron service:

service crond restart

Configure NGINX

Certbot should have made some configuration changes to the nginx.conf file. Let's verify it works:

sudo nginx -t

Let's see what's in it...

less /etc/nginx.conf

Yuck, what a mess! We can do better.

Here's an example /etc/nginx.conf to get you started.

Once you have it the way you want it, reload the nginx configuration:

service nginx reload

Test it out with a web browser.

Bad gateway error? Take a look at the log file: /var/log/nginx/error.log

Success? Congratulations!

    

Navigation