Contribute Profile首页
  1. Jake blogHome
  2. Technical Notes

Let’s Encrypt SSL Certificate Installation (CentOS + Nginx), along with Scoring and Automatic Renewal

Technical Notes 7355 次阅读 No one has discussed this yet. 171 Like

Yesterday I tried GoDaddy's SSL certificate and found it wasn't very user-friendly, so I looked into Let's Encrypt. Many personal websites are now switching to Let's Encrypt, and it has a strong backing, sponsored by various large companies. Let's Encrypt's main purpose is to popularize SSL certificates and accelerate the internet's transition to HTTPS. Although it's an open-source project, offering 3 months of free SSL is quite popular. (3 months isn't a big deal; I can just write a program to automatically renew it.)

There are many installation and deployment methods online. After some research, I found the simplest method to be as follows:

Assuming that Nginx is already installed on CentOS 6, please leave a message if you don't understand the commands for other versions.

Install git and eppel

yum install git yum install epel

Then switch directories and clone git.

cd /opt git clone https://github.com/Let's Encrypt/Let's Encrypt

Then stop the nginx service, change the directory, and then install it.

service nginx stop cd /opt/Let's Encrypt ./Let's Encrypt-auto certonly --standalone -d your_domain.tld -d www.yourdomain.tld

Then, follow the instructions to enter your email address and other information, and wait for the domain to be verified. However, there seems to be a problem with the domain verification; try a few more times.

—————————Installation is complete. The following steps involve configuration.————————

I've written down the key points of nginx configuration; ask if you don't understand.

listen 443 ssl default_server; ssl_certificate /etc/Let's Encrypt/live/your_domain.tld/fullchain.pem; ssl_certificate_key /etc/Let's Encrypt/live/your_domain.tld/privkey.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

After that, take a test and get a rating on SSLAB: https://www.ssllabs.com/ssltest/analyze.html

After the evaluation was completed, it was found to be weak. DH The key exchange issue can be resolved as follows:

mkdir /etc/nginx/ssl cd /etc/nginx/ssl openssl dhparam -out dhparams.pem 4096

Then, in the file `/etc/nginx/nginx.conf`, add the following:

 
This siteOriginal articleAll follow "Attribution-NonCommercial-ShareAlike 4.0 License (CC BY-NC-SA 4.0)Please retain the following annotations when sharing or adapting:
 
Original author:Jake Tao,source:"Let's Encrypt SSL Certificate Installation (CentOS + Nginx), Scoring, and Automatic Renewal"
 
 
 
 
 
171
 
 
 
 
 
  0  0    171   
  
  
 
 
 
 
 
 
About the author
 
 
 Jake Tao的头像 
 
 
 
 Jake Tao 
 
 
 
         
 
 
 
 645 article 
 
 335 Comment 
 
 
Jake, a native of Hangzhou, studied and worked in the United States for many years. He has experience in technology development, team management, and core business decision-making at Amazon, Shopify, Capital One, Grab, and Oracle, covering advertising technology, payment systems, fintech, and data platforms. He is also seeking new entrepreneurial opportunities in AI applications and cross-border e-commerce. Passionate about creating and practicing from scratch, he welcomes discussion if you share similar interests!
 
 
 
 
 
Further Reading
 
 
 
 
Post a reply  
Log inYou can only comment after that.
 
 
 
 
 
  
 
  
 
  Share this page 
 
  Back to top