There is general agreement these days that the internet as a whole needs to be more secure from eavesdropping and content hijacking. This could be achieved by a general move from HTTP to HTTPS as the default protocol, but for years the issue of the certificates required to do this has been dominated by the SSL certificate mafia. This cartel which includes Symantec, RapidSSL, GeoTrust and Thawte has discouraged the widespread adoption of HTTPS by making it an expensive and tedious chore. Not any more.
Certbot is an Electronic Frontier Foundation project which develops software that automatically enables HTTPS on all websites on a web server, even across many different domains. The days of paying the shonkies for SSL/TLS certificates are over!
Certbot manages the obtaining, installing and updating of Let’s Encrypt certificates, recognised by all main web browers. For CentOS servers running Nginx, certbot is available in the EPEL repo as the yum package certbot-nginx and can be installed in the usual manner.
Certbot is very easy to run:
This command obtains a certificate and automatically edits an Nginx configuration file to serve it. If certbot finds multiple configuration files (normally one per domain) it creates certificates for as many of them as you wish. To maintain manual control of Nginx configuration file changes, use the certonly subcommand:
certbot --nginx certonly
Certbot can and probably should be configured to renew certificates automatically before they expire. Let’s Encrypt certificates last for 90 days, so it is highly advisable to take advantage of this feature. The automatic renewal process can be tested as follows:
certbot renew --dry-run
If that appears to be working correctly, you can arrange for automatic renewal by adding a cron or systemd job which runs the following:
For more information see the Certbot Documentation.