SSL Certificate on NGINX

02 Jan 2020 5 min See Original (spanish)

Table of Contents

 

In previous posts, we've seen how to install NGINX on our server, but so far it only provides HTTP content, that is, content without a certificate.

Installing an SSL certificate is very simple, thanks to Let’s Encrypt.

To follow this guide, you just need SSH access to your server as a superuser or sudo user and your web server set up. 

1 - Enable EPEL Repository 

As a reminder from previous posts, we need to have the EPEL repository enabled. If it’s not active, we need to run this command

$ sudo yum install epel-release

 

2 - Install Certbot

First, Certbot is a free and open source solution for the automatic management of certificates, which lets us use HTTPS using Let’s Encrypt.

To install it, run the following command:

$ sudo yum install certbot python2-certbot-nginx

 

3 - Certificate Creation

Since we have an nginx server and our URLs configured, we can run the following command

$ sudo certbot --nginx

And it will automatically create the necessary certificates and set up the configuration to listen for HTTPS instead of HTTP.

3.1 - Manual Certificate Creation

In our case, we’re going to create certificates for a specific site. With certbot, you should create certificates for both the main domain and the subdomains. 

$ sudo certbot --nginx -d webEjemplo.com -d www.webEjemplo.com

Certbot will ask you for some information to create the certificate, just fill it in.

Once you’re done, there’s no need to configure nginx manually, since certbot will do it automatically. To check this, go to the configuration file in /etc/nginx/conf.d/, in our case webEjemplo.conf, and you can see the changes.

server {
    listen 80;
    server_name www.webEjemplo.es;
    location / {
        proxy_pass         http://localhost:5000;
       }
       listen 443 ssl; # managed by Certbot

    # RSA certificate
    ssl_certificate /etc/letsencrypt/live/www.webEjemplo.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/www.webEjemplo.com/privkey.pem; # managed by Certbot

    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

    # Redirect non-https traffic to https
    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    } # managed by Certbot
}

server {
    listen 80;
    server_name webEjemplo.com;
    return 301 https://www.webEjemplo.com$request_uri;

    listen 443 ssl; # managed by Certbot

    # RSA certificate
    ssl_certificate /etc/letsencrypt/live/webEjemplo.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/webEjemplo.com/privkey.pem; # managed by Certbot

    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

    # Redirect non-https traffic to https
    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    } # managed by Certbot
}

The changes introduced by certbot are marked with # managed by Certbot

As we can see, they are as follows:

  • Listen on SSL port 443;
  • include the certificates
  • redirect HTTP requests to HTTPS

 

4 - Automatic Certificate Renewal

Certificates generated with Let’s Encrypt and certbot expire every 90 days, so you’ll need to renew them.

If you manually created the certificates, you were asked for your email, and close to their expiry date, Let’s Encrypt will send you a message letting you know the certificate is about to expire.

However, you can create a cron task in the system to renew your certificates automatically.

Open crontab with the following command:

$ crontab -e

And add the following line:

0 12 * * * /usr/bin/certbot renew --quiet

We use --quiet so that the system doesn't produce terminal output.

Note: certificates can only be renewed if they're within 30 days of expiration. 

 

4.1 - Manual Certificate Renewal with LetsEncrypt

Simply run this command:

sudo certbot renew

 

4.2 - Renew LetsEncrypt Certificate with Cloudflare

To renew the certificate with Cloudflare, unfortunately, you have to do a few manual steps

  1. Disable the A www and A yourdomain.com records in the Cloudflare panel. You should also do this for the CNAME if you have one.
  2. Wait a few minutes for the changes to take effect
  3. Manually run the renewal process by running the command from step 4.1
  4. Re-enable the records from step 1

and you’ll be able to renew your certificates. Source.

 

Conclusion

In this post, we installed Certbot to generate SSL certificates for a specific domain.

We then configured NGINX to use these certificates, so you can have a secure website in just a matter of minutes. 

This post was translated from Spanish. You can see the original one here.
If there is any problem you can add a comment bellow or contact me in the website's contact form

Comparte

Facebook
Twitter
Linkedin
WhatsApp

Next Post: Desarrollo de aplicaciones .NET en Linux

Recent Posts

See all

Uso del bloqueador de anuncios adblock

Hola!

Primero de todo bienvenido a la web de NetMentor donde podrás aprender programación en C# y .NET desde un nivel de principiante hasta más avanzado.


Yo entiendo que utilices un bloqueador de anuncios como AdBlock, Ublock o el propio navegador Brave. Pero te tengo que pedir por favor que desactives el bloqueador para esta web.


Intento personalmente no poner mucha publicidad, la justa para pagar el servidor y por supuesto que no sea intrusiva; Si pese a ello piensas que es intrusiva siempre me puedes escribir por privado o por Twitter a @NetMentorTW.


Si ya lo has desactivado, por favor recarga la página.


Un saludo y muchas gracias por tu colaboración

© copyright 2025 NetMentor | Todos los derechos reservados | RSS Feed

Buy me a coffee Invitame a un café