Fue desarrollado por Internet Security Research Group (ISRG) y cuenta con la confianza de todos los principales navegadores. Se utiliza para automatizar el proceso de creación, validación, firma, implementación y renovación de certificados para sitios web seguros.
El certificado es válido solo por 90 días, por lo que deberá renovarlo manualmente o configurar el sistema de renovación automática,
Let's encrypt admite la emisión de certificación automatizada para Apache, Nginx, Plex y HAproxy. Cubriremos nginx en esta guía.
Contenido relacionado
- Cómo asegurar Nginx con Letsencrypt en Ubuntu 20.04
- Cómo instalar y configurar Nginx, WordPress y Mysql 8 en Rocky Linux/Centos 8
- Cómo instalar Nginx y configurar el host virtual en Ubuntu 20.04
Requisitos previos:
- Servidor CentOS 8 con acceso a internet e IP pública
- Un nombre de dominio válido con DNS apuntado al servidor
- Acceso raíz al servidor Centos 8
Instalación del cliente Certbot Let's Encrypt
Inicie sesión en el servidor usando ssh [email protected] -p port :
ssh [email protected]Actualice todos sus paquetes a sus últimas versiones disponibles.
sudo dnf update -yInstalar Nginx
sudo dnf install -y nginxIniciar y habilitar nginx
systemctl start nginx
systemctl enable nginx
Para esto, creemos una configuración de nginx:
Configuración de Nginx actualizada:
server {
listen 80;
server_tokens off;
client_max_body_size 10M;
server_name site1.citizix.com;
access_log /var/log/nginx/site1.citizix.com/access.log;
error_log /var/log/nginx/site1.citizix.com/error.log;
ignore_invalid_headers off;
## Deny illegal Host headers
if ($host !~* ^(site1.citizix.com)$ ) {
return 444;
}
root /var/www/site1.citizix.com;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
}
}Instalar el cliente Certbot
Certbot es una herramienta de línea de comandos que se utiliza para simplificar el proceso de obtención y renovación de certificados SSL de Let's Encrypt para su sitio web.
sudo dnf install epel-release
sudo dnf install certbot python3-certbot-nginxSi usa firewalld, habilite http y https en el firewall:
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload
# Verify
sudo firewall-cmd --permanent --list-allObtención de un Certificado
Detener nginx:
sudo systemctl stop nginxsudo certbot --nginx --non-interactive --agree-tos --email [email protected] -d site1.citizix.comSalida
# sudo certbot --nginx --non-interactive --agree-tos --email [email protected] -d site1.citizix.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Account registered.
Requesting a certificate for site1.citizix.com
Performing the following challenges:
http-01 challenge for site1.citizix.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/conf.d/site1.citizix.com.conf
Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/site1.citizix.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled
https://site1.citizix.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/site1.citizix.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/site1.citizix.com/privkey.pem
Your certificate will expire on 2021-11-05. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again with the "certonly" option. To non-interactively
renew *all* of your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-leIniciar nginx:
sudo systemctl start nginxConfiguración de Nginx actualizada:
server {
server_tokens off;
client_max_body_size 10M;
server_name site1.citizix.com;
access_log /var/log/nginx/site1.citizix.com/access.log;
error_log /var/log/nginx/site1.citizix.com/error.log;
ignore_invalid_headers off;
## Deny illegal Host headers
if ($host !~* ^(site1.citizix.com)$ ) {
return 444;
}
root /var/www/site1.citizix.com;
location / {
proxy_pass http://127.0.0.1:8096;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/site1.citizix.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/site1.citizix.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = site1.citizix.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name site1.citizix.com;
return 404; # managed by Certbot
}