How to Secure Nginx with Let’s Encrypt and Certbot on RHEL 8

Let’s Encrypt provides free, automatically renewable TLS certificates, and Certbot is the recommended client for obtaining and managing them. On RHEL 8, the certbot and python3-certbot-nginx packages are available from the EPEL (Extra Packages for Enterprise Linux) repository. Once installed, Certbot can automatically obtain a certificate and modify your Nginx configuration to enable HTTPS. This tutorial covers the complete process of securing Nginx with Let’s Encrypt on RHEL 8.

Prerequisites

• Nginx installed and running on RHEL 8 with a configured server block for your domain
• A fully qualified domain name (FQDN) pointing to your server’s public IP address
• Port 80 and 443 open in firewalld
• Root or sudo access on the server
• The EPEL repository enabled (installation covered in Step 1)

Step 1 — Enable EPEL and Install Certbot

Certbot is not included in the default RHEL 8 repositories. First, enable EPEL:

sudo dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm

Then install Certbot and the Nginx plugin:

sudo dnf install -y certbot python3-certbot-nginx

Verify the installation:

certbot --version

Step 2 — Obtain and Install a Certificate

Run Certbot with the --nginx plugin to automatically obtain a certificate and update your Nginx configuration. Replace example.com with your actual domain:

sudo certbot --nginx -d example.com -d www.example.com

Certbot will prompt you to:

1. Provide an email address for urgent renewal and security notices
2. Agree to the Let’s Encrypt Terms of Service
3. Choose whether to redirect HTTP to HTTPS (option 2 — Redirect — is recommended)

After completion, Certbot writes the certificate files to /etc/letsencrypt/live/example.com/ and updates /etc/nginx/conf.d/example.com.conf with the SSL directives automatically.

Step 3 — Understand the Certificate Directory Structure

Inspect the files Certbot created:

sudo ls -la /etc/letsencrypt/live/example.com/

The directory contains four symbolic links:

• cert.pem — the domain certificate
• chain.pem — the Let’s Encrypt intermediate certificate chain
• fullchain.pem — cert.pem + chain.pem combined; this is what Nginx’s ssl_certificate directive should point to
• privkey.pem — the private key; Nginx’s ssl_certificate_key directive points here

The actual certificate files reside in /etc/letsencrypt/archive/example.com/ and are accessed through the symlinks above.

Step 4 — Verify the HTTPS Redirect in Nginx Config

Confirm that Certbot added the correct SSL and redirect directives to your server block:

sudo cat /etc/nginx/conf.d/example.com.conf

You should see a block similar to this added by Certbot:

server {
    listen 443 ssl;
    server_name example.com www.example.com;

    ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    include             /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam         /etc/letsencrypt/ssl-dhparams.pem;

    root  /var/www/example.com/html;
    index index.html;

    location / {
        try_files $uri $uri/ =404;
    }
}

server {
    listen 80;
    server_name example.com www.example.com;
    return 301 https://$host$request_uri;
}

The second server block performs the HTTP-to-HTTPS redirect. Test the configuration and reload:

sudo nginx -t && sudo systemctl reload nginx.service

Step 5 — Test Automatic Renewal

Let’s Encrypt certificates are valid for 90 days. Certbot installs a systemd timer that automatically renews certificates before they expire. Check the timer status:

sudo systemctl status certbot.timer

Perform a dry run to confirm the renewal process works without actually renewing:

sudo certbot renew --dry-run

If the dry run completes without errors, automatic renewal is configured correctly. You can also list all managed certificates and their expiration dates:

sudo certbot certificates

Step 6 — Open Port 443 if Not Already Done

Ensure the firewall allows HTTPS traffic. If you did not open it during the initial Nginx setup, do so now:

sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload
sudo firewall-cmd --list-services

From a browser or with curl, verify HTTPS is serving your site:

curl -I https://example.com

A 200 OK response confirms TLS is working correctly.

Conclusion

You have installed Certbot from EPEL, obtained a free Let’s Encrypt TLS certificate, and configured Nginx to serve your site over HTTPS with automatic HTTP-to-HTTPS redirection. The systemd timer ensures your certificate renews automatically, eliminating manual intervention before expiration.

Next steps: How to Configure HTTP/2 on Nginx on RHEL 8, How to Set Up Nginx as a Reverse Proxy on RHEL 8, and How to Configure HSTS on Nginx on RHEL 8.