How to Get a Free, Never‑Expiring SSL Certificate with Let’s Encrypt on CentOS 9

Background

Free SSL certificates that used to be valid for 12 months are now limited to 3 months, prompting many enterprises to buy paid certificates. This article shows how to use Let’s Encrypt to obtain a free, automatically renewable SSL certificate and upgrade a website from HTTP to HTTPS.

Let’s Encrypt Overview

Let’s Encrypt, provided by the non‑profit Internet Security Research Group (ISRG), issues free Domain Validation (DV) certificates. The issuance and renewal processes are fully automated via scripts, and the official client options are listed at https://letsencrypt.org/zh-cn/docs/client-options/ .

Install Certbot Client [root@aliyun-www ~]# yum install certbot -y Verify the installation:

[root@aliyun-www ~]# certbot --version</code><code>certbot 2.11.0

Now you can request an SSL certificate. For example, to obtain a certificate for static.example.com:

[root@aliyun-www ~]# certbot certonly --nginx -d static.example.com

If the Nginx plugin is missing, install it:

[root@aliyun-www ~]# yum install python3-certbot-nginx

Run the certificate request again:

[root@aliyun-www ~]# certbot certonly --nginx -d static.example.com

The interactive process will ask you to agree to the Let’s Encrypt Terms of Service, provide an email address, and optionally share it with the Electronic Frontier Foundation.

Saving debug log to /var/log/letsencrypt/letsencrypt.log</code><code>Enter email address (used for urgent renewal and security notices)</code><code>(Enter 'c' to cancel): [email protected]</code><code>... (Y)es/(N)o: y</code><code>Account registered.</code><code>Requesting a certificate for static.example.com</code><code>Successfully received certificate.</code><code>Certificate is saved at: /etc/letsencrypt/live/static.example.com/fullchain.pem</code><code>Key is saved at: /etc/letsencrypt/live/static.example.com/privkey.pem</code><code>This certificate expires on 2025-06-18.</code><code>Certbot has set up a scheduled task to automatically renew this certificate in the background.

After issuance, the certificate files appear under /etc/letsencrypt/live/ in a directory named after the domain.

Certificate Renewal: Automatic Updates

Let’s Encrypt certificates are valid for 90 days and are automatically renewed 30 days before expiration. Test renewal with: [root@aliyun-www ~]# certbot renew --dry-run You can add certbot renew to a cron job to ensure continuous renewal.

Enable HTTPS in Nginx

Edit the Nginx configuration to listen on port 443 and reference the certificate files:

server {</code><code>   listen   443 ssl;</code><code>   server_name  example.cn;</code><code>   root /home/www/example.com;</code><code>   index  index.html index.htm index.php;</code><code>   ssl_certificate /etc/letsencrypt/live/example/fullchain.pem;</code><code>   ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;</code><code>   ...</code><code>}

Add an HTTP‑to‑HTTPS redirect:

server {</code><code>    listen 80;</code><code>    server_name example.com;</code><code>    location / {</code><code>        rewrite ^(.*)$ https://$host$1 permanent;</code><code>    }</code><code>}

Restart Nginx to apply changes: systemctl restart nginx With these steps, you will have a continuously valid, free SSL certificate protecting your site.

Conclusion

By following this procedure on a CentOS 9 server, you can successfully install and configure Let’s Encrypt SSL, ensuring secure communication for your visitors while avoiding the cost and hassle of paid certificates. Remember to regularly check your configuration and renewals to maintain a secure and reliable web service.