In this tutorial, we'll explain how to install Certbot on AlmaLinux 9 with Nginx. It will secure the Nginx web server using free Let’s Encrypt SSL certificates.
Certbot is a free, open source software tool for automatically using Let’s Encrypt certificates on manually-administrated websites to enable HTTPS. We can install SSL using command-line interface.
Let's Encrypt is a Certificate Authority (CA) that provides SSL/TLS encryption at no charges and the certificate is valid for 90 days, duing which renewal can take place at any time.
Prerequisites
- A AlmaLinux 9 and Nginx installed dedicated server or cloud server with root or non-root access (for non-root, use "sudo").
- Registered domain that you wish to get the certificate.
- A DNS A record that points your domain to the public IP address of the server.
Install Certbot on AlmaLinux With Nginx
1. Keep server up-to-date
dnf update -y
2. Install Certbot Nginx Package
dnf install certbot python3-certbot-nginx -y
3. Obtaining a Certificate
Obtain a certificate using certbot command. The Nginx plugin will take care of reconfiguring Nginx and reloading the config.
certbot --nginx -d yoursite.com -d www.yousite.com
By running certbot first time, you will be prompted to enter an email address and agree to the terms of service. Next, Certbot will communicate with Let's Encrypt server.
Once, it deploy the SSL certificate, it will display similar output:
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/yousite.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/yousite.com/privkey.pem
This certificate expires on 2024-05-18.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
Deploying certificate
Successfully deployed certificate for yousite.com to /etc/Nginx2/sites-available/yousite.com-le-ssl.conf
Congratulations! You have successfully enabled HTTPS on https://yousite.com
4. Verify Certbot Auto-renewal
Verify that the Certbot's auto renewal service is active and running. The certbot package we installed takes care of this for us by adding a systemd timer that will run twice a day and automatically renew any certificate that’s within thirty days of expiration.
First start the timer service using following command:
systemctl start certbot-renew.timer
You can query the status of the timer with systemctl:
systemctl status certbot.timer
Similar output will be print on the console:
● certbot-renew.timer - This is the timer to set the schedule for automated renewals
Loaded: loaded (/usr/lib/systemd/system/certbot-renew.timer; enabled; preset: enabled)
Active: active (waiting) since Sun 2024-02-18 13:56:45 UTC; 1s ago
Until: Sun 2024-02-18 13:56:45 UTC; 1s ago
Trigger: Mon 2024-02-19 04:28:47 UTC; 14h left
Triggers: ● certbot-renew.service
Feb 18 13:56:45 squid.hnxcloud.com systemd[1]: Started This is the timer to set the schedule for automated renewals.
5. Test automatic renewal
Certbot comes with a cron job or systemd timer that will renew your certificates automatically before they expire.
Let's test automatic renewal for our certificates by running this command:
certbot renew --dry-run
Similar output will print:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/squid.hnxcloud.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Account registered.
Simulating renewal of an existing certificate for squid.hnxcloud.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/squid.hnxcloud.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5. Confirm SSL certificate
To confirm that our site is set up properly, visit https://yoursite.com/ in your browser and look for the lock icon in the URL bar
That's it. We have seen how to install Certbot on AlmaLinux 9 with Nginx.
