Table of Contents
After creating a WordPress site with Nginx on Centos 7. You need enable ssl for that site instead of access the site though http – not secure.
Enable HTTPS for WordPress
Let’s Encrypt is a non-profit certificate authority that provides a free SSL certificate to create a more secure and privacy respecting Web.
To download the Let’s Encrypt server SSL and implement it on your website, you will need to install the Certbot client package on your server.
Run the following command to install the Certbot client package for Nginx:
sudo yum install certbot-nginx -yOnce the Certbot package is installed, run the following command to enable the SSL on your WordPress website.
sudo certbot --nginx -d bonguides.me -d www.bonguides.me# sudo certbot --nginx -d bonguides.me -d www.bonguides.me
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): [email protected]
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
Account registered.
Requesting a certificate for bonguides.me and www.bonguides.me
Performing the following challenges:
http-01 challenge for bonguides.me
http-01 challenge for www.bonguides.me
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/conf.d/bonguides.me.conf
Deploying Certificate to VirtualHost /etc/nginx/conf.d/bonguides.me.conf
Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/bonguides.me.conf
Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/bonguides.me.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://bonguides.me and
https://www.bonguides.me
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/bonguides.me/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/bonguides.me/privkey.pem
Your certificate will expire on 2023-01-23. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again with the "certonly" option. To non-interactively
renew *all* of your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-leThe certificate files (*.pem) are created automatically.
#ls /etc/letsencrypt/live/bonguides.me/
cert.pem chain.pem fullchain.pem privkey.pem READMEAnd the Certbot will add some lines into the virtual host configuration file.
# cat /etc/nginx/conf.d/bonguides.me.conf
server {
server_name bonguides.me www.bonguides.me;
root /var/www/bonguides.me;
index index.php index.html index.htm;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ \.php$ {
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_pass unix:/run/php-fpm/www.sock;
fastcgi_index index.php;
fastcgi_param DOCUMENT_ROOT $realpath_root;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
}
access_log /var/log/nginx/bonguides.me.access.log;
error_log /var/log/nginx/bonguides.me.error.log;
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/bonguides.me/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/bonguides.me/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = www.bonguides.me) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = bonguides.me) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name bonguides.me www.bonguides.me;
return 404; # managed by CertbotFinally, the site was protected by an SSL certificate.
Setting Up Auto-Renewal
Let’s Encrypt certificates are valid for 90 days, but it’s recommended that you renew the certificates every 60 days to allow for a margin of error. The Certbot Let’s Encrypt client has a renew command that automatically checks the currently installed certificates and tries to renew them if they are less than 30 days away from the expiration date.
You can test automatic renewal for your certificates by running this command:
sudo certbot renew --dry-run# sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/bonguides.me.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Account registered.
Simulating renewal of an existing certificate for bonguides.me and www.bonguides.me
Performing the following challenges:
http-01 challenge for bonguides.me
http-01 challenge for www.bonguides.me
Waiting for verification...
Cleaning up challenges
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/bonguides.me/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/bonguides.me/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Edit the crontab to create a new job that will run the renewal twice per day. To edit the crontab for the root user, run:
sudo crontab -eYour text editor will open the default crontab, which is an empty text file at this point.
0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew --quietThis will create a new cron job that will execute at noon and midnight every day and will select a random minute within the hour for your renewal tasks.
The renew command for Certbot will check all certificates installed on the system and update any that are set to expire in less than thirty days. –quiet tells Certbot not to output information or wait for user input.
