$ sudo yum install epel-release
$ sudo yum install certbot-nginx
2. Setting up Nginx
$ sudo yum install nginx
$ sudo systemctl start nginx
Certbot can automatically configure SSL for Nginx, but it needs to be able to find the correct server block in your config. It does this by looking for a server_name directive that matches the domain you're requesting a certificate for. If you're staring out with a fresh Nginx install, you can update the default config file.
3. Updating the Firewall
$ sudo firewall-cmd --add-service=httpOR
$ sudo firewall-cmd --add-service=https
$ sudo firewall-cmd --runtime-to-permanent
$ sudo iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
$ sudo iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT
4. Obtaining a Certificate
$ sudo certbot --nginx -d example.com -d www.example.comThis runs certbot with the --nginx plugin, using -d to specify the names we'd like the certificate to be valid for.
5. Updating Diffie-Hellman Parameters
If you test your server using the SSL Labs Server Test now, it will only get a B grade due to weak Diffie-Hellman parameters. This effects the security of the initial key exchange between our server and its users. We can fix this by creating a new dhparam.pem file and adding it to our server block.
Create the file using openssl:
$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048This will take a while, up to a few minutes. When it's done, open up the Nginx config file that contains your server block. In our example, it's the default config file:
$ sudo vi /etc/nginx/nginx.confPast the following line anywhere within the server block:
Save the file and quit your editor, then verify the configuration:
/etc/nginx/nginx.conf
. . .
ssl_dhparam /etc/ssl/certs/dhparam.pem;
$ sudo nginx -tIf you have no errors, reload Nginx:
$ sudo systemctl reload nginx
6. Setting Up Auto Renewal
Add crontab
15 3 * * * /usr/bin/certbot renew --quiet #run the following command at 3:15 am, every day
Không có nhận xét nào:
Đăng nhận xét