Some info in the biblio suggests using GIT to clone LE.
It's available on CentOS7 via yum though, so I simply installed via yum
To get a certificate was quite simple.
LE expects to be able to access a file in /.well-known/acme-challenge under the root of the webserver.
Because this is a new installation, I was able to shutdown the website temporarily
# systemctl stop nginx # mkdir -p htdocs.le/.well-known/acme-challenge # mv htdocs htdocs.real # ln -s htdocs.le htdocs # letsencrypt --text --renew-by-default --email roo@norwegian.blue --domains entries.mydomain.net --agree-tos --standalone --standalone-supported-challenges http-01 certonly
# rm -y htdocs && ln -s htdocs.real htdocs # systemctl start nginx
This has restarted the webserver, but it's not running SSL yet. If there were no errors on the letsencrypt command, you have however got your cert's.
This technique used "Standalone verification"
If there were no errors, LE will have generated the certificate and put the files in /etc/letsencrypt/live/entries.mydomain.net
Edit the entries.mydomain.net.conf
file, and in the SSL block, put:
ssl_certificate /etc/letsencrypt/live/entries.mydomain.net/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/entries.mydomain.net/privkey.pem;
Make sure they're uncommented.
To further increase security, you should also generate a strong Diffie-Hellman group. To generate a 2048-bit group, use this command:
# openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
Edit nginx.conf and find the ssl_dhparam
directive. Point it to the file just created.
(This is taken from the digitalocean tutorial. Other config directives defined in there are in a mix of the nginx.conf and the virtual host conf. They were mostly correct.)
Restart nginx and make sure you can get to the site with https.
Redirect http to https
Edit the virtualhost conf (entries.mydomain.net.conf) and add the following line:
return 301 https://$host$request_uri;
Place this immediately after
listen 80; # IPv4
in the HTTP server block.