Secure Nginx with Let’s Encrypt on AlmaLinux 9 | Best Setup

By Posted on

Secure Nginx with Let’s Encrypt on AlmaLinux 9 | Best Setup

This guide, brought to you by Orcacore, will walk you through the process of securing your Nginx web server with Let’s Encrypt on AlmaLinux 9. Let’s Encrypt is a free, automated, and open certificate authority (CA) dedicated to making the internet more secure and privacy-respecting by providing SSL/TLS certificates.

SSL certificates offer two crucial benefits: encryption and validation. Encryption safeguards data transmitted to and from your website, preventing interception by malicious actors. Validation confirms that the domain name genuinely belongs to the claimed owner, increasing trust and security. Let’s Encrypt primarily focuses on encryption and provides Domain Validation (DV) SSL certificates. These certificates verify domain ownership but don’t include organizational details, unlike Organization Validation (OV) or Extended Validation (EV) SSL certificates.

Before we begin, let’s ensure you have the necessary prerequisites in place.

1. Requirements for Let’s Encrypt Setup with Nginx

To follow this tutorial, you’ll need the following:

  • A non-root user with sudo privileges: Ensure you have a user account with administrative privileges. Refer to the Initial server setup article for AlmaLinux 9 for guidance.
  • Nginx installed and configured: Nginx must be installed on your AlmaLinux 9 server with properly configured server blocks (virtual hosts). Follow the instructions in How To Install Nginx on AlmaLinux 9.
  • A fully registered domain name: You need a domain name that points to your server’s public IP address.

Once these requirements are met, you can proceed with securing your Nginx server with Let’s Encrypt on AlmaLinux 9.

2. Install Certbot Let’s Encrypt Client on AlmaLinux 9

The Certbot package isn’t available in the default DNF package repository. You first need to enable the EPEL (Extra Packages for Enterprise Linux) repository. Execute the following command:

sudo dnf install epel-release -y

Next, install Certbot and the Nginx plugin:

sudo dnf install certbot python3-certbot-nginx -y

With Certbot installed, you need to adjust your firewall settings to allow HTTP and HTTPS traffic.

To check the currently enabled firewall services, use:

sudo firewall-cmd --permanent --list-all

You should see output similar to:

public
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: cockpit dhcpv6-client ssh
  ports:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

Note: If HTTP and HTTPS are not listed under "services," add them using these commands:

sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https

Apply the changes by reloading the firewall:

sudo firewall-cmd --reload

Now you’re prepared to obtain your SSL certificate from Let’s Encrypt on AlmaLinux 9.

3. How to Get an SSL Certificate on AlmaLinux 9?

This step involves requesting the SSL certificate for your domain using Certbot.

Note: To generate a single certificate valid for multiple domains or subdomains, include them as additional parameters in the command.

In this example, our domain name is nginx.orcacore.net. Remember to replace this with your actual domain name.

To request a certificate for both the domain and its www subdomain:

sudo certbot --nginx -d nginx.orcacore.net -d www.nginx.orcacore.net

For a single domain only:

sudo certbot --nginx -d nginx.orcacore.net

Certbot will prompt you for your email address and ask you to agree to the terms of service.

The output will look something like this:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): your_email@example.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-22-2022.pdf. You must
agree in order to register with the Let's Encrypt ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

... (more output) ...

Congratulations! You have successfully enabled HTTPS on your domain!

You should test your configuration at:
-------------------------------------------------------------------------------
https://www.ssllabs.com/ssltest/analyze.html?d=nginx.orcacore.net
-------------------------------------------------------------------------------

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/nginx.orcacore.net/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/nginx.orcacore.net/privkey.pem
   Your certificate will expire on 2023-12-20. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:
   * Donating: https://letsencrypt.org/donate
   * Sponsoring: https://letsencrypt.org/sponsor

After completing the process of securing Nginx with Let’s Encrypt on AlmaLinux 9, you can verify the status of your SSL certificate using an online SSL checker. A popular option is:

https://www.ssllabs.com/ssltest/analyze.html?d=nginx.orcacore.net

Remember to replace the domain name with your own.

This test will give you a grade and details about your SSL configuration. You should aim for an "A" grade. Now your website can be accessed via HTTPS. The final step is to configure automatic certificate renewal to maintain this secure setup.

4. How to set up Auto-renewal for SSL certificates?

Now that you’ve successfully secured Nginx with Let’s Encrypt on AlmaLinux 9, it’s important to automate certificate renewal. Let’s Encrypt certificates are valid for 90 days, so renewal is recommended every 60 days.

You can test the automatic renewal process using the following command:

sudo certbot renew --dry-run

A successful dry run should produce output similar to:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/nginx.orcacore.net.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for nginx.orcacore.net and www.nginx.orcacore.net

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dry run succeeded.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

To automate the renewal process, create a cron job that runs regularly. Edit the crontab for the root user:

sudo crontab -e

Add the following line to the crontab file:

0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew --quiet

This cron job runs twice a day at midnight and noon. The python command introduces a random delay (up to 3600 seconds, or 1 hour) to avoid overloading the Let’s Encrypt servers. The certbot renew --quiet command attempts to renew all certificates managed by Certbot without producing any output.

Save and close the file using :wq.

Conclusion

This guide has shown you how to install Certbot, obtain SSL certificates for your domain, and set up automatic certificate renewal to secure Nginx with Let’s Encrypt on AlmaLinux 9.

You may also like these articles:

Install LEMP Stack on AlmaLinux 9

Install LAMP Stack on AlmaLinux 9

Install Let’s Encrypt on cPanel New Version

Secure Nginx Web Server Let’s Encrypt on Debian 12

Alternative Solutions for Securing Nginx with Let’s Encrypt

While Certbot is a popular and effective tool, other options exist for obtaining and managing Let’s Encrypt certificates for Nginx. Here are two alternative approaches:

1. Using acme.sh:

acme.sh is a pure Unix shell script implementing the ACME protocol. It requires no dependencies other than curl or wget and bash. It’s a lightweight and versatile option suitable for systems where you prefer minimal dependencies or need greater control over the certificate issuance process.

Explanation:

acme.sh automates the process of obtaining and renewing Let’s Encrypt certificates. It uses the ACME protocol to verify domain ownership and request certificates. Unlike Certbot, it doesn’t require Python or any other high-level language runtime. This makes it ideal for embedded systems or situations where resource constraints are a concern. acme.sh supports various methods for domain verification, including HTTP, DNS, and TLS-ALPN challenges.

Code Example:

First, install acme.sh:

curl https://get.acme.sh | sh

Source the acme.sh environment:

source ~/.acme.sh/acme.sh.env

Issue the certificate:

acme.sh --issue -d nginx.orcacore.net -w /var/www/nginx.orcacore.net
  • -d nginx.orcacore.net: Specifies the domain name.
  • -w /var/www/nginx.orcacore.net: Specifies the webroot directory for HTTP challenge verification. Make sure this directory is served by Nginx.

Install the certificate to Nginx configuration:

acme.sh --installcert -d nginx.orcacore.net 
        --certpath      /etc/nginx/ssl/nginx.orcacore.net.crt  
        --keypath       /etc/nginx/ssl/nginx.orcacore.net.key 
        --fullchainpath /etc/nginx/ssl/nginx.orcacore.net.fullchain 
        --reloadcmd     "systemctl reload nginx"
  • --certpath, --keypath, --fullchainpath: Specifies the paths where the certificate, key, and full chain will be installed. Adjust these paths to match your Nginx configuration.
  • --reloadcmd: Specifies the command to reload Nginx after the certificate is installed.

acme.sh automatically renews certificates every 60 days via a cron job that it sets up during installation.

2. Using a Configuration Management Tool (Ansible):

For more complex environments with multiple servers, a configuration management tool like Ansible can automate the entire process of installing Nginx, obtaining certificates, and configuring virtual hosts.

Explanation:

Ansible allows you to define the desired state of your servers in a declarative manner. You can create playbooks that automate tasks such as installing packages, configuring files, and running commands. Using Ansible, you can ensure that all your servers are configured consistently and securely. For Let’s Encrypt certificate management, Ansible can interact with tools like Certbot or acme.sh, or even directly use the ACME protocol via Ansible modules.

Code Example (Ansible Playbook Snippet):

This is a simplified example. A complete playbook would handle Nginx installation and other configurations. This assumes Nginx is already installed.

---
- hosts: webservers
  become: true
  tasks:
    - name: Install Certbot
      dnf:
        name: certbot
        state: present

    - name: Obtain Let's Encrypt certificate
      command:
        cmd: "certbot --nginx -d nginx.orcacore.net --non-interactive --agree-tos --email your_email@example.com"
      register: certbot_result
      changed_when: "'Congratulations! You have successfully enabled HTTPS' in certbot_result.stdout" # check if the certificate was really obtained

    - name: Restart Nginx
      systemd:
        name: nginx
        state: restarted
      when: "'Congratulations! You have successfully enabled HTTPS' in certbot_result.stdout"
  • This playbook targets a group of servers defined as webservers in your Ansible inventory.
  • The first task installs Certbot using the dnf module.
  • The second task executes the certbot command to obtain the certificate. The --non-interactive, --agree-tos, and --email flags allow for unattended execution. The register keyword captures the command output. The changed_when parameter ensures that the task is only considered changed (and subsequent tasks run) if the certificate was successfully obtained.
  • The third task restarts Nginx using the systemd module. The when condition ensures that Nginx is only restarted if the certificate was successfully obtained in the previous step.

This approach provides a scalable and repeatable way to manage SSL certificates across your infrastructure. By leveraging Ansible’s idempotency, you can ensure that the certificate is only obtained and installed if it doesn’t already exist or needs to be renewed.

Securing Nginx with Let’s Encrypt on AlmaLinux 9 is crucial for protecting your website and user data. While Certbot offers a convenient solution, acme.sh provides a lightweight alternative, and Ansible enables automated certificate management across multiple servers. Choose the method that best suits your environment and requirements.

Related posts: