How to install certbot ssl certificate on nginx server

I am using centos 7.4 server. you can use following commands for installing ssl certicate.

#cd /etc/nginx/conf.d/

[root@vps147238 conf.d]# cp m.eparinay.com.conf qa.eparinay.com.conf
[root@vps147238 conf.d]# vim qa.eparinay.com.conf
[root@vps147238 conf.d]# sudo certbot --nginx -d qa.eparinay.com -d qa.eparinay.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Attempting to parse the version 1.23.0 renewal configuration file found at /etc/letsencrypt/renewal/eparinay.com.conf with version 1.11.0 of Certbot. This might not work.
Attempting to parse the version 1.23.0 renewal configuration file found at /etc/letsencrypt/renewal/purabtech.com.conf with version 1.11.0 of Certbot. This might not work.
Attempting to parse the version 1.23.0 renewal configuration file found at /etc/letsencrypt/renewal/www.eparinay.com-0001.conf with version 1.11.0 of Certbot. This might not work.
Requesting a certificate for qa.eparinay.com
Performing the following challenges:
http-01 challenge for qa.eparinay.com
Waiting for verification…
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/conf.d/qa.eparinay.com.conf
Traffic on port 80 already redirecting to ssl in /etc/nginx/conf.d/qa.eparinay.com.conf


Congratulations! You have successfully enabled https://qa.eparinay.com


IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/qa.eparinay.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/qa.eparinay.com/privkey.pem
    Your certificate will expire on 2022-07-31. To obtain a new or
    tweaked version of this certificate in the future, simply run
    certbot again with the "certonly" option. To non-interactively
    renew all of your certificates, run "certbot renew"
  • If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

[root@vps147238 conf.d]# vim qa.eparinay.com.conf
[root@vps147238 conf.d]# service nginx restart
Redirecting to /bin/systemctl restart nginx.service
[root@vps147238 conf.d]#

auto renew letsencrypt ssl apache on linux

For auto renew SSL certificate I added following code in crontab.

0 0 */10 * * certbot renew >> /logs/certbot-cron.log 2>&1

Log of certbot renew command.

[root@vps147238 ep]# certbot renew

Saving debug log to /var/log/letsencrypt/letsencrypt.log Processing /etc/letsencrypt/renewal/purabtech.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert not yet due for renewal - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The following certificates are not due for renewal yet: /etc/letsencrypt/live/purabtech.com/fullchain.pem expires on 2022-01-17 (skipped) (skipped) No renewals were attempted.

how to get free ssl certificate from letsencrypt

For getting a free SSL certificate you need SSH access to your server where you installed your application code.

Then follow commands and articles which will guide you to install the necessary application.

https://certbot.eff.org/lets-encrypt/centosrhel7-apache

After installing certbot to your machine. you need to run following command to generate SSL certificate.

certbot --apache certonly --cert-name purabtech.com -d purabtech.in

Open 443 and 80 port on linux VM

If your apache or Nginx or tomcat server is configured properly still your site is not opening then check firewall and port is opened on the internet.

Check the status of your firewall. use this command

firewall-cmd --state

running

Check which zones are active

[root@vps147238 purab]# firewall-cmd –get-active-zones
public
interfaces: eth0

Open port 80 and port 443 port.

firewall-cmd –zone=public --add-service=http

firewall-cmd --zone=public --add-service=https

firewall-cmd --zone=public --permanent --add-service=http

firewall-cmd --zone=public --permanent --add-service=https

firewall-cmd --reload

Now check port 80 and 443 opened

firewall-cmd --list-all

public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client ssh https
ports: 80/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

CentOS Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org An unexpected error occurred:

While running certonly command I got following error:
[root@vps147238 letsencrypt]# certbot --apache certonly --cert-name purabtech.com -d purabtech.in
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
An unexpected error occurred:
ConnectionError: (‘Connection aborted.’, gaierror(-2, ‘Name or service not known’))
Please see the logfiles in /var/log/letsencrypt for more details.

I solved this issue by doing following:

$vi /etc/letsencrypt/cli.ini

Put following code in that
server = https://acme-v02.api.letsencrypt.org/directory

It solved my problem…