How to create a free Let’s Encrypt certificate on CentOS with NGINX


Step 1:

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

Step 2:

./certbot-auto --nginx

Result:

[root@tutorialspots ~]# ./certbot-auto --nginx
Bootstrapping dependencies for RedHat-based OSes... (you can skip this with --no
-bootstrap)
yum is /usr/bin/yum
Loaded plugins: fastestmirror
Setting up Install Process
Loading mirror speeds from cached hostfile
 * base: mirrors.nhanhoa.com
 * epel: epel.mirror.net.in
 * extras: mirror.pregi.net
 * remi-safe: remi.mirror.ate.info
 * updates: mirror.rise.ph
Package gcc-4.4.7-18.el6.x86_64 already installed and latest version
Package redhat-rpm-config-9.0.3-51.el6.centos.noarch already installed and lates
t version
Resolving Dependencies
--> Running transaction check
---> Package augeas-libs.x86_64 0:1.0.0-10.el6 will be installed
---> Package ca-certificates.noarch 0:2015.2.6-65.0.1.el6_7 will be updated
---> Package ca-certificates.noarch 0:2017.2.14-65.0.1.el6_9 will be an update
---> Package libffi-devel.x86_64 0:3.0.5-3.2.el6 will be installed
---> Package mod_ssl.x86_64 1:2.2.15-60.el6.centos.6 will be installed
--> Processing Dependency: httpd = 2.2.15-60.el6.centos.6 for package: 1:mod_ssl
-2.2.15-60.el6.centos.6.x86_64
---> Package openssl.x86_64 0:1.0.1e-48.el6_8.1 will be updated
---> Package openssl.x86_64 0:1.0.1e-57.el6 will be an update
---> Package openssl-devel.x86_64 0:1.0.1e-48.el6_8.1 will be updated
---> Package openssl-devel.x86_64 0:1.0.1e-57.el6 will be an update
---> Package python.x86_64 0:2.6.6-64.el6 will be updated
---> Package python.x86_64 0:2.6.6-66.el6_8 will be an update
--> Processing Dependency: python-libs(x86-64) = 2.6.6-66.el6_8 for package: pyt
hon-2.6.6-66.el6_8.x86_64
---> Package python-devel.x86_64 0:2.6.6-66.el6_8 will be installed
---> Package python-pip.noarch 0:7.1.0-1.el6 will be installed
---> Package python-tools.x86_64 0:2.6.6-66.el6_8 will be installed
--> Processing Dependency: tkinter = 2.6.6-66.el6_8 for package: python-tools-2.
6.6-66.el6_8.x86_64
---> Package python-virtualenv.noarch 0:1.10.1-1.el6 will be installed
--> Running transaction check
---> Package httpd.x86_64 0:2.2.15-54.el6.centos will be updated
--> Processing Dependency: httpd = 2.2.15-54.el6.centos for package: httpd-devel
-2.2.15-54.el6.centos.x86_64
---> Package httpd.x86_64 0:2.2.15-60.el6.centos.6 will be an update
--> Processing Dependency: httpd-tools = 2.2.15-60.el6.centos.6 for package: htt
pd-2.2.15-60.el6.centos.6.x86_64
---> Package python-libs.x86_64 0:2.6.6-64.el6 will be updated
---> Package python-libs.x86_64 0:2.6.6-66.el6_8 will be an update
---> Package tkinter.x86_64 0:2.6.6-66.el6_8 will be installed
--> Processing Dependency: libTix.so()(64bit) for package: tkinter-2.6.6-66.el6_
8.x86_64
--> Running transaction check
---> Package httpd-devel.x86_64 0:2.2.15-54.el6.centos will be updated
---> Package httpd-devel.x86_64 0:2.2.15-60.el6.centos.6 will be an update
---> Package httpd-tools.x86_64 0:2.2.15-54.el6.centos will be updated
---> Package httpd-tools.x86_64 0:2.2.15-60.el6.centos.6 will be an update
---> Package tix.x86_64 1:8.4.3-5.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package              Arch      Version                        Repository  Size
================================================================================
Installing:
 augeas-libs          x86_64    1.0.0-10.el6                   base       314 k
 libffi-devel         x86_64    3.0.5-3.2.el6                  base        18 k
 mod_ssl              x86_64    1:2.2.15-60.el6.centos.6       updates     99 k
 python-devel         x86_64    2.6.6-66.el6_8                 base       173 k
 python-pip           noarch    7.1.0-1.el6                    epel       1.5 M
 python-tools         x86_64    2.6.6-66.el6_8                 base       871 k
 python-virtualenv    noarch    1.10.1-1.el6                   epel       1.3 M
Updating:
 ca-certificates      noarch    2017.2.14-65.0.1.el6_9         updates    1.3 M
 openssl              x86_64    1.0.1e-57.el6                  base       1.5 M
 openssl-devel        x86_64    1.0.1e-57.el6                  base       1.2 M
 python               x86_64    2.6.6-66.el6_8                 base        76 k
Installing for dependencies:
 tix                  x86_64    1:8.4.3-5.el6                  base       252 k
 tkinter              x86_64    2.6.6-66.el6_8                 base       258 k
Updating for dependencies:
 httpd                x86_64    2.2.15-60.el6.centos.6         updates    836 k
 httpd-devel          x86_64    2.2.15-60.el6.centos.6         updates    158 k
 httpd-tools          x86_64    2.2.15-60.el6.centos.6         updates     80 k
 python-libs          x86_64    2.6.6-66.el6_8                 base       5.3 M

Transaction Summary
================================================================================
Install       9 Package(s)
Upgrade       8 Package(s)

Total download size: 15 M
Is this ok [y/N]: y
Downloading Packages:
(1/17): augeas-libs-1.0.0-10.el6.x86_64.rpm              | 314 kB     00:00
(2/17): ca-certificates-2017.2.14-65.0.1.el6_9.noarch.rp | 1.3 MB     00:00
(3/17): httpd-2.2.15-60.el6.centos.6.x86_64.rpm          | 836 kB     00:00
(4/17): httpd-devel-2.2.15-60.el6.centos.6.x86_64.rpm    | 158 kB     00:00
(5/17): httpd-tools-2.2.15-60.el6.centos.6.x86_64.rpm    |  80 kB     00:00
(6/17): libffi-devel-3.0.5-3.2.el6.x86_64.rpm            |  18 kB     00:00
(7/17): mod_ssl-2.2.15-60.el6.centos.6.x86_64.rpm        |  99 kB     00:00
(8/17): openssl-1.0.1e-57.el6.x86_64.rpm                 | 1.5 MB     00:00
(9/17): openssl-devel-1.0.1e-57.el6.x86_64.rpm           | 1.2 MB     00:00
(10/17): python-2.6.6-66.el6_8.x86_64.rpm                |  76 kB     00:00
(11/17): python-devel-2.6.6-66.el6_8.x86_64.rpm          | 173 kB     00:00
(12/17): python-libs-2.6.6-66.el6_8.x86_64.rpm           | 5.3 MB     00:00
(13/17): python-pip-7.1.0-1.el6.noarch.rpm               | 1.5 MB     00:01
(14/17): python-tools-2.6.6-66.el6_8.x86_64.rpm          | 871 kB     00:00
(15/17): python-virtualenv-1.10.1-1.el6.noarch.rpm       | 1.3 MB     00:01
(16/17): tix-8.4.3-5.el6.x86_64.rpm                      | 252 kB     00:00
(17/17): tkinter-2.6.6-66.el6_8.x86_64.rpm               | 258 kB     00:00
--------------------------------------------------------------------------------
Total                                           950 kB/s |  15 MB     00:16
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating   : ca-certificates-2017.2.14-65.0.1.el6_9.noarch               1/25
  Updating   : openssl-1.0.1e-57.el6.x86_64                                2/25
  Updating   : python-libs-2.6.6-66.el6_8.x86_64                           3/25
  Updating   : python-2.6.6-66.el6_8.x86_64                                4/25
  Installing : python-devel-2.6.6-66.el6_8.x86_64                          5/25
  Updating   : httpd-tools-2.2.15-60.el6.centos.6.x86_64                   6/25
  Updating   : httpd-2.2.15-60.el6.centos.6.x86_64                         7/25
  Installing : 1:tix-8.4.3-5.el6.x86_64                                    8/25
  Installing : tkinter-2.6.6-66.el6_8.x86_64                               9/25
  Installing : python-tools-2.6.6-66.el6_8.x86_64                         10/25
  Updating   : httpd-devel-2.2.15-60.el6.centos.6.x86_64                  11/25
  Installing : 1:mod_ssl-2.2.15-60.el6.centos.6.x86_64                    12/25
  Installing : python-virtualenv-1.10.1-1.el6.noarch                      13/25
  Installing : python-pip-7.1.0-1.el6.noarch                              14/25
  Updating   : openssl-devel-1.0.1e-57.el6.x86_64                         15/25
  Installing : augeas-libs-1.0.0-10.el6.x86_64                            16/25
  Installing : libffi-devel-3.0.5-3.2.el6.x86_64                          17/25
  Cleanup    : httpd-devel-2.2.15-54.el6.centos.x86_64                    18/25
  Cleanup    : openssl-devel-1.0.1e-48.el6_8.1.x86_64                     19/25
  Cleanup    : httpd-2.2.15-54.el6.centos.x86_64                          20/25
  Cleanup    : httpd-tools-2.2.15-54.el6.centos.x86_64                    21/25
  Cleanup    : python-libs-2.6.6-64.el6.x86_64                            22/25
  Cleanup    : python-2.6.6-64.el6.x86_64                                 23/25
  Cleanup    : openssl-1.0.1e-48.el6_8.1.x86_64                           24/25
  Cleanup    : ca-certificates-2015.2.6-65.0.1.el6_7.noarch               25/25
  Verifying  : python-devel-2.6.6-66.el6_8.x86_64                          1/25
  Verifying  : python-2.6.6-66.el6_8.x86_64                                2/25
  Verifying  : libffi-devel-3.0.5-3.2.el6.x86_64                           3/25
  Verifying  : tkinter-2.6.6-66.el6_8.x86_64                               4/25
  Verifying  : 1:tix-8.4.3-5.el6.x86_64                                    5/25
  Verifying  : python-pip-7.1.0-1.el6.noarch                               6/25
  Verifying  : httpd-tools-2.2.15-60.el6.centos.6.x86_64                   7/25
  Verifying  : openssl-devel-1.0.1e-57.el6.x86_64                          8/25
  Verifying  : httpd-2.2.15-60.el6.centos.6.x86_64                         9/25
  Verifying  : python-libs-2.6.6-66.el6_8.x86_64                          10/25
  Verifying  : httpd-devel-2.2.15-60.el6.centos.6.x86_64                  11/25
  Verifying  : augeas-libs-1.0.0-10.el6.x86_64                            12/25
  Verifying  : ca-certificates-2017.2.14-65.0.1.el6_9.noarch              13/25
  Verifying  : python-tools-2.6.6-66.el6_8.x86_64                         14/25
  Verifying  : openssl-1.0.1e-57.el6.x86_64                               15/25
  Verifying  : python-virtualenv-1.10.1-1.el6.noarch                      16/25
  Verifying  : 1:mod_ssl-2.2.15-60.el6.centos.6.x86_64                    17/25
  Verifying  : python-libs-2.6.6-64.el6.x86_64                            18/25
  Verifying  : httpd-tools-2.2.15-54.el6.centos.x86_64                    19/25
  Verifying  : httpd-devel-2.2.15-54.el6.centos.x86_64                    20/25
  Verifying  : openssl-1.0.1e-48.el6_8.1.x86_64                           21/25
  Verifying  : python-2.6.6-64.el6.x86_64                                 22/25
  Verifying  : ca-certificates-2015.2.6-65.0.1.el6_7.noarch               23/25
  Verifying  : openssl-devel-1.0.1e-48.el6_8.1.x86_64                     24/25
  Verifying  : httpd-2.2.15-54.el6.centos.x86_64                          25/25

Installed:
  augeas-libs.x86_64 0:1.0.0-10.el6        libffi-devel.x86_64 0:3.0.5-3.2.el6
  mod_ssl.x86_64 1:2.2.15-60.el6.centos.6  python-devel.x86_64 0:2.6.6-66.el6_8
  python-pip.noarch 0:7.1.0-1.el6          python-tools.x86_64 0:2.6.6-66.el6_8
  python-virtualenv.noarch 0:1.10.1-1.el6

Dependency Installed:
  tix.x86_64 1:8.4.3-5.el6            tkinter.x86_64 0:2.6.6-66.el6_8

Updated:
  ca-certificates.noarch 0:2017.2.14-65.0.1.el6_9
  openssl.x86_64 0:1.0.1e-57.el6
  openssl-devel.x86_64 0:1.0.1e-57.el6
  python.x86_64 0:2.6.6-66.el6_8

Dependency Updated:
  httpd.x86_64 0:2.2.15-60.el6.centos.6
  httpd-devel.x86_64 0:2.2.15-60.el6.centos.6
  httpd-tools.x86_64 0:2.2.15-60.el6.centos.6
  python-libs.x86_64 0:2.6.6-66.el6_8

Complete!
Creating virtual environment...
Installing Python packages...
Installation succeeded.
/opt/eff.org/certbot/venv/lib/python2.6/site-packages/cryptography/__init__.py:2
6: DeprecationWarning: Python 2.6 is no longer supported by the Python core team
, please upgrade your Python. A future version of cryptography will drop support
 for Python 2.6
  DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): tutorialspots@gmail.com
/opt/eff.org/certbot/venv/lib/python2.6/site-packages/acme/jose/jwa.py:110: Depr
ecationWarning: signer and verifier have been deprecated. Please use sign and ve
rify instead.
  signer = key.signer(self.padding, self.hash)

-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: a

-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: y
Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: demodomain.com
2: www.demodomain.com
3: demodomain.xyz
4: ws.demodomain.xyz
5: www.demodomain.xyz
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 4
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for ws.gochat.xyz
Waiting for verification...
Cleaning up challenges
Deployed Certificate to VirtualHost /etc/nginx/conf.d/demodomain.xyz.conf for set(['
ws.gochat.xyz'])

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP ac
cess.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

-------------------------------------------------------------------------------
Congratulations! You have successfully enabled https://ws.demodomain.xyz

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=ws.demodomain.xyz
-------------------------------------------------------------------------------

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/ws.gochat.xyz/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/ws.gochat.xyz/privkey.pem
   Your cert will expire on 2018-02-09. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again with the "certonly" option. To non-interactively renew *all*
   of your certificates, run "certbot-auto renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

To renew automatically: Because that Let’s Encrypt certificates is valid for 90 days, so must renew.
To test:

./certbot-auto renew --dry-run

Result:

[root@tutorialspots ~]# ./certbot-auto renew --dry-run
/opt/eff.org/certbot/venv/lib/python2.6/site-packages/cryptography/__init__.py:2
6: DeprecationWarning: Python 2.6 is no longer supported by the Python core team
, please upgrade your Python. A future version of cryptography will drop support
 for Python 2.6
  DeprecationWarning
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/ws.tutorialspots.xyz.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
/opt/eff.org/certbot/venv/lib/python2.6/site-packages/acme/jose/jwa.py:110: Depr
ecationWarning: signer and verifier have been deprecated. Please use sign and ve
rify instead.
  signer = key.signer(self.padding, self.hash)
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for ws.tutorialspots.xyz
Waiting for verification...
Cleaning up challenges

-------------------------------------------------------------------------------
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/ws.tutorialspots.xyz/fullchain.pem
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/ws.tutorialspots.xyz/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
-------------------------------------------------------------------------------

IMPORTANT NOTES:
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

You can use crond to run below command twice per day:

./path/to/certbot-auto renew

https://certbot.eff.org/#centos6-nginx

1 Comment

Leave a Reply