Select Page

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).

The key principles behind Let’s Encrypt are:

  • Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost.
  • Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.
  • Secure: Let’s Encrypt will serve as a platform for advancing TLS security best practices, both on the CA side and by helping site operators properly secure their servers.
  • Transparent: All certificates issued or revoked will be publicly recorded and available for anyone to inspect.
  • Open: The automatic issuance and renewal protocol will be published as an open standard that others can adopt.
  • Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.


Install CertAuto

First you need to download the certauto application.

sudo yum install certbot


In case of Centos 6 you need to download it from

Download the file in /srv  or /root  or your home folder

cd /srv
chmod a+x certbot-auto


Now you create the certificate by running this command

sudo /srv/certbot-auto certonly -a webroot --webroot-path=/usr/share/nginx/html -d -d


Add your email address and click OK

then click Agree to accept the terms of service

Copy and save the output


Generate Strong Diffie-Hellman Group

To further increase security, you should also generate a strong Diffie-Hellman group. To generate a 2048-bit group, use this command:

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048


This may take a few minutes but when it’s done you will have a strong DH group at /etc/ssl/certs/dhparam.pem.


Configure TLS/SSL on Web Server

server {
    listen 80;
    return 301 https://$host$request_uri;
server {
        listen 443 ssl;


        ssl_certificate /etc/letsencrypt/live/;
        ssl_certificate_key /etc/letsencrypt/live/;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        ssl_session_timeout 1d;
        ssl_session_cache shared:SSL:50m;
        ssl_stapling on;
        ssl_stapling_verify on;
        add_header Strict-Transport-Security max-age=15768000;

        location ~ /.well-known {
                allow all;

        # The rest of your server block
        root /usr/share/nginx/html;
        index index.html index.htm;

        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri $uri/ =404;
                # Uncomment to enable naxsi on this location
                # include /etc/nginx/naxsi.rules


Set Up Auto Renewal

Create a cronjob to renew the certificate automatically. The following command opens the crontab with nano.

sudo env EDITOR=nano crontab -e


paste the following configuration to run the cron everyweek. It runs the certbot-auto renew and saves the out put in a log file. 5 mins later it reloads the nginx config to use the new certificate.

0 0 * * 1 /srv/certbot-auto renew >> /srv/www/sslcert-renew.log
5 0 * * 1 /etc/init.d/nginx reload nginx >> /srv/www/sslcert-renew.log


Reference Articles