Enable Free Let's Encrypt SSL for WordPress with Nginx on CentOS

After creating a WordPress site with Nginx on Centos 7. You need enable ssl for that site instead of access the site though http – not secure.

Enable HTTPS for WordPress

Let’s Encrypt is a non-profit certificate authority that provides a free SSL certificate to create a more secure and privacy respecting Web.

To download the Let’s Encrypt server SSL and implement it on your website, you will need to install the Certbot client package on your server.

Run the following command to install the Certbot client package for Nginx:

sudo yum install certbot-nginx -y

Once the Certbot package is installed, run the following command to enable the SSL on your WordPress website.

Note Note: Change to the domain you are using and replace the email address.

sudo certbot --nginx -d bonguides.me -d www.bonguides.me

# sudo certbot --nginx -d bonguides.me -d www.bonguides.me
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): [email protected]
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
Account registered.
Requesting a certificate for bonguides.me and www.bonguides.me
Performing the following challenges:
http-01 challenge for bonguides.me
http-01 challenge for www.bonguides.me
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/conf.d/bonguides.me.conf
Deploying Certificate to VirtualHost /etc/nginx/conf.d/bonguides.me.conf
Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/bonguides.me.conf
Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/bonguides.me.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://bonguides.me and
https://www.bonguides.me
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/bonguides.me/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/bonguides.me/privkey.pem
   Your certificate will expire on 2023-01-23. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again with the "certonly" option. To non-interactively
   renew *all* of your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

The certificate files (*.pem) are created automatically.

#ls /etc/letsencrypt/live/bonguides.me/
cert.pem  chain.pem  fullchain.pem  privkey.pem  README

And the Certbot will add some lines into the virtual host configuration file.

# cat /etc/nginx/conf.d/bonguides.me.conf
server {
    server_name bonguides.me www.bonguides.me;
    root /var/www/bonguides.me;
    index index.php index.html index.htm;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location ~ \.php$ {
        try_files $fastcgi_script_name =404;
        include fastcgi_params;
        fastcgi_pass                   unix:/run/php-fpm/www.sock;
        fastcgi_index                  index.php;
        fastcgi_param DOCUMENT_ROOT    $realpath_root;
        fastcgi_param SCRIPT_FILENAME  $realpath_root$fastcgi_script_name;
    }

    access_log /var/log/nginx/bonguides.me.access.log;
    error_log /var/log/nginx/bonguides.me.error.log;

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/bonguides.me/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/bonguides.me/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


}
server {
    if ($host = www.bonguides.me) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = bonguides.me) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    server_name bonguides.me www.bonguides.me;
    return 404; # managed by Certbot

Finally, the site was protected by an SSL certificate.

Setting Up Auto-Renewal

Let’s Encrypt certificates are valid for 90 days, but it’s recommended that you renew the certificates every 60 days to allow for a margin of error. The Certbot Let’s Encrypt client has a renew command that automatically checks the currently installed certificates and tries to renew them if they are less than 30 days away from the expiration date.

You can test automatic renewal for your certificates by running this command:

sudo certbot renew --dry-run

# sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/bonguides.me.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Account registered.
Simulating renewal of an existing certificate for bonguides.me and www.bonguides.me
Performing the following challenges:
http-01 challenge for bonguides.me
http-01 challenge for www.bonguides.me
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/bonguides.me/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
  /etc/letsencrypt/live/bonguides.me/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Edit the crontab to create a new job that will run the renewal twice per day. To edit the crontab for the root user, run:

sudo crontab -e

Your text editor will open the default crontab, which is an empty text file at this point.

0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew --quiet

This will create a new cron job that will execute at noon and midnight every day and will select a random minute within the hour for your renewal tasks.

The renew command for Certbot will check all certificates installed on the system and update any that are set to expire in less than thirty days. –quiet tells Certbot not to output information or wait for user input.