SSL using LetsEncrypt

Some info in the biblio suggests using GIT to clone LE.

It's available on CentOS7 via yum though, so I simply installed via yum

To get a certificate was quite simple.

LE expects to be able to access a file in /.well-known/acme-challenge under the root of the webserver.

Because this is a new installation, I was able to shutdown the website temporarily

# systemctl stop nginx
# mkdir -p htdocs.le/.well-known/acme-challenge
# mv htdocs htdocs.real
# ln -s htdocs.le htdocs
# letsencrypt --text --renew-by-default --email --domains --agree-tos --standalone --standalone-supported-challenges http-01 certonly
# rm -y htdocs && ln -s htdocs.real htdocs
# systemctl start nginx

This has restarted the webserver, but it's not running SSL yet. If there were no errors on the letsencrypt command, you have however got your cert's.

This technique used "Standalone verification"

If there were no errors, LE will have generated the certificate and put the files in /etc/letsencrypt/live/

Edit the file, and in the SSL block, put:

    ssl_certificate     /etc/letsencrypt/live/;
    ssl_certificate_key /etc/letsencrypt/live/;

Make sure they're uncommented.

To further increase security, you should also generate a strong Diffie-Hellman group. To generate a 2048-bit group, use this command:

# openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 

Edit nginx.conf and find the ssl_dhparam directive. Point it to the file just created.
(This is taken from the digitalocean tutorial. Other config directives defined in there are in a mix of the nginx.conf and the virtual host conf. They were mostly correct.)

Restart nginx and make sure you can get to the site with https.

Redirect http to https

Edit the virtualhost conf ( and add the following line:

    return 301 https://$host$request_uri;

Place this immediately after

    listen 80; # IPv4

in the HTTP server block.