Step 1 – Install the required software

Install the git, wget, curl and bc packages with the yum command:
sudo yum install git bc wget curl socat

Step 2 – Install acme.sh Let’s Encrypt client

Clone the repo:
cd /tmp/
git clone https://github.com/Neilpang/acme.sh.git


Install acme.sh client on to your system, run:
cd acme.sh/
sudo -i ## be root user ##
./acme.sh --install


After install, you must close current terminal and reopen again to make the alias take effect. Or simply type the following source command:
sudo source ~/.bashrc
Verify installation by printing version number:
acme.sh --version
https://github.com/Neilpang/acme.sh
v2.8.4

Step 3 – Basic nginx config for http server

I am going to create a new config for domain named example.com (feel free to replace example.com with your actual domain name) as follows:
# vi /etc/nginx/conf.d/example.com.conf
Append the following code:

 http port 80
server {
listen 80;
server_name example.com;
access_log /var/log/nginx/http_example.com_access.log;
error_log /var/log/nginx/http_example.com_error.log;
root /usr/share/nginx/html;
}

Save and close the file. Test nginx set up and reload the nginx server as follows:
# nginx -t
# systemctl restart nginx.service

Step 4 – Create dhparams.pem file

Run openssl command but create a new directory using the mkdir command:
# mkdir -pv /etc/nginx/ssl/example.com/
# cd /etc/nginx/ssl/example.com/
# openssl dhparam -out dhparams.pem -dsaparam 4096

See “how to speed up OpenSSL/GnuPG Entropy For Random Number Generation On Linux” for more info.

Step 5 – Obtain a certificate for domain

Issue a certificate for your domain:
sudo acme.sh --issue -d example.com -k 2048 --nginx
## for two domains ##
sudo acme.sh --issue -d example.com -d www.example.com -k 2048 --nginx
## get certs for three domains ##
sudo acme.sh --issue -d example.com -d www.example.com -k 2048 --nginx
## let us get cert for example.com domain only ##
sudo acme.sh --issue -d example.com -k 4096 --nginx

Step 6 – Configure Nginx

You just successfully requested an SSL Certificate from Let’s Encrypt for your CentOS 8 Linux server. It is time to configure it. Update for ssl config as follows:
$ sudo vi /etc/nginx/conf.d/example.com
Append the following config:


server {
listen 80;
listen [::]:80;
access_log /var/log/nginx/http_example.com_access.log;
error_log /var/log/nginx/http_example.com_error.log;
server_name example.com;
root /usr/share/nginx/html;
#
# redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
#
return 301 https://$host$request_uri;
}

server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.com;
root /usr/share/nginx/html;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /etc/nginx/ssl/example.com/example.com.cer;
ssl_certificate_key /etc/nginx/ssl/example.com/example.com.key;
ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_dhparam /etc/nginx/ssl/example.com/dhparams.pem;
ssl_protocols TLSv1.2 TLSv1.3;
# make sure the below ssl_ciphers is all one line #
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;

add_header Strict-Transport-Security "max-age=63072000" always;
ssl_stapling on;
ssl_stapling_verify on;

resolver 8.8.8.8;

}

Save and close the file in vi/vim text editor.

Step 7 – Install certificate

 

Install the issued cert to nginx server:
# acme.sh --installcert -d example.com \
--key-file /etc/nginx/ssl/example.com/example.com.key \
--fullchain-file /etc/nginx/ssl/example.com/example.com.cer \
--reloadcmd 'systemctl reload nginx.service'


Make sure port os open with the ss command or netstat command:
# ss -tulpn

Step 7 – Firewall configuration

You need to open port 443 (HTTPS) on your server so that clients can connect it using Firewalld. Update the rules as follows:
$ sudo firewall-cmd --add-service=https
$ sudo firewall-cmd --runtime-to-permanent

Step 8 – Test it

Fire a web browser and type your domain such as:
https://example.com
Test it with SSLlabs test site:
https://www.ssllabs.com/ssltest/analyze.html?d=example.com

Step 9 – acme.sh commands

List all certificates:
# acme.sh --list
Sample outputs:

Main_Domain            KeyLength  SAN_Domains  Created                       Renew
example.com  "4096"     no           Mon Dec 30 16:57:10 UTC 2019  Fri Feb 28 16:57:10 UTC 2020

Renew a cert for domain named example.com:
# acme.sh --renew -d example.com
Please note that a cron job will try to do renewal a certificate for you too. This is installed by default as follows (no action required on your part). To see job run:
# crontab -l
Sample outputs:

8 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

Upgrade acme.sh client:
# acme.sh --upgrade
Getting help:
# acme.sh --help | more

Was this answer helpful? 458 Users Found This Useful (226 Votes)