Free SSL and Widacard SSL certificate from Let’s Encrypt, NGINX connection and auto-renewal on Centos 7

Wildcard certificate – a public key certificate that can be used with multiple subdomains *

A series of articles on installing and configuring the NGINX web server

  • Installing NGINX web server for working with virtual hosts, PHP-FPM in Sock mode, MariaDB Mysql server on Centos 7
  • Password for file / directory NGINX web server in Centos / Ubuntu
  • Enabling SSL in NGINX on Centos 7
  • Free SSL and Widacard SSL certificate from Let’s Encrypt, NGINX connection and auto-renewal on Centos 7

Installing the certbot utility

[[email protected]]# yum install certbot

We receive an SSL certificate. Check type: TXT-record in DNS

[[email protected]]# certbot certonly --manual --agree-tos --email [email protected] --preferred-challenges=dns -d -d

certonly — запрос нового сертификата;
manual — проверка домена вручную.
preferred-challenges=dns — метод проверки домена через dns.
agree-tos — согласие на лицензионное соглашение;
email — почтовый адрес администратора домена;
d — перечисление доменов, для которых запрашиваем сертификат.

After that, certbot will ask you to register a TXT record for domain names for verification. We register them on our dns server, wait a while for them to be registered and return to the console to confirm.

It is imperative to wait for a while until the record is registered, otherwise the check will fail, you will not receive a certificate, and the next time you request the txt record will be different

Let’s Encrypt also issues Wildcard SSL certificates. To get it, let’s execute the request:

[[email protected]]# certbot certonly --manual --agree-tos --email [email protected] --preferred-challenges=dns -d -d *

Let’s Encrypt SSL certificate expires 3 months, so to get around this limitation, we will use automatic update

Automatic SSL Certificate Renewal

We are looking for a path to certbot:

[[email protected]]# which certbot

Start editing cron and add the line:

[[email protected]]# crontab -e
0 0 * * 1,4 /usr/bin/certbot renew && systemctl restart nginx

In this case, the launch of the script for checking and renewing the certificate (if the certificate expires) will occur on Mondays and Thursdays at 00:00. Then NGINX will be restarted

The rest of the settings were discussed earlier, in this article.

Part of the config:

server {
        listen 443 ssl default_server;
        include snippets/ssl-params.conf;
        root /var/www/html;

        index index.php index.html index.htm;

        ssl_certificate /etc/letsencrypt/live/;
        ssl_certificate_key /etc/letsencrypt/live/;
        ssl_trusted_certificate /etc/letsencrypt/live/;