How To Install Lets Encrypt SSL With LEMP Stack On AlmaLinux 10

How to Install Let's Encrypt SSL with LEMP Stack on AlmaLinux 10

This guide walks you through installing a secure LEMP (Linux, Nginx, MariaDB, PHP) stack on AlmaLinux 10 and enabling HTTPS with a free SSL certificate from Let's Encrypt using Certbot.

Prerequisites

A clean AlmaLinux 10 server with root or sudo access
A registered domain name pointed to your server's IP
Basic knowledge of the Linux command line

Install and Start Nginx

Install the Nginx web server and ensure it's running.

yum install nginx -y
systemctl start nginx
systemctl enable nginx

Check the Nginx status to confirm it's active,

systemctl status nginx

Output:

[root@vps ~]# systemctl status nginx
● nginx.service - The nginx HTTP and reverse proxy server
     Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; preset: disabled)
    Drop-In: /etc/systemd/system/nginx.service.d
             └─php-fpm.conf
     Active: active (running) since Fri 2025-06-06 20:20:44 UTC; 45min ago
 Invocation: e2f38a62c6f5402ab06f791e8df8effc
   Main PID: 3028 (nginx)
      Tasks: 3 (limit: 23188)
     Memory: 4M (peak: 6M)
        CPU: 90ms
     CGroup: /system.slice/nginx.service
             ├─3028 "nginx: master process /usr/sbin/nginx"
             ├─4486 "nginx: worker process"
             └─4487 "nginx: worker process"

Configure Firewall

Allow HTTP and HTTPS traffic through the firewall.

firewall-cmd --permanent --zone=public --add-service=http 
firewall-cmd --permanent --zone=public --add-service=https
firewall-cmd --reload

Set Proper Permissions for Web Directory

Ensure the Nginx user owns the default web directory.

chown nginx:nginx /usr/share/nginx/html -R

Install and Secure MariaDB

Install the MariaDB server and start it.

yum install mariadb-server mariadb -y
systemctl start mariadb
systemctl enable mariadb
systemctl status mariadb

Secure the installation with:

mysql_secure_installation

Output:

[root@vps ~]# mysql_secure_installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
haven't set the root password yet, you should just press enter here.

Enter current password for root (enter for none): 
OK, successfully used password, moving on...

Setting the root password or using the unix_socket ensures that nobody
can log into the MariaDB root user without the proper authorisation.

You already have your root account protected, so you can safely answer 'n'.

Switch to unix_socket authentication [Y/n] y
Enabled successfully!
Reloading privilege tables..
 ... Success!

...

Install PHP 8.4

Enable additional repositories to access the latest PHP version.

dnf config-manager --set-enabled crb
dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-10.noarch.rpm
dnf install https://rpms.remirepo.net/enterprise/remi-release-10.rpm -y

Install PHP 8.4 and Necessary Extensions, Switch to the Remi repository for PHP 8.4,

dnf module switch-to php:remi-8.4
dnf module install php:remi-8.4

Install PHP with commonly used extensions,

yum install php php-mysqlnd php-fpm php-opcache php-gd php-xml php-mbstring -y

Configure and Start PHP-FPM

Edit the PHP-FPM pool configuration (optional):

nano /etc/php-fpm.d/www.conf

Start and enable PHP-FPM,

systemctl start php-fpm
systemctl enable php-fpm
systemctl status php-fpm

Reload if needed:

systemctl reload php-fpm

Restart services to apply changes:

systemctl restart nginx php-fpm

Install Certbot with Snap

Install Snap and Certbot:

dnf install snapd -y
systemctl enable --now snapd.socket
snap wait system seed.loaded
snap install --classic certbot
ln -s /snap/bin/certbot /usr/bin/certbot

Prepare Web Directory and Nginx Configuration

Create a directory for your subdomain and add a test page:

mkdir -p /var/www/dev.domainhere.info/public_html
echo "<h1>Welcome to dev.domainhere.info hosted with Nginx</h1>" > /var/www/blog.domainhere.info/public_html/index.html

(Optional) Allow HTTP/HTTPS again:

firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reload

Edit Nginx virtual host configuration:

nano /etc/nginx/conf.d/dev.domainhere.info.conf

Add below configuration,

server {
    listen 80;
    listen [::]:80;

    root /var/www/dev.domainhere.info/public_html;

    index index.html;

    server_name dev.domainhere.info www.dev.domainhere.info;

    access_log /var/log/nginx/dev.domainhere.info.access.log;
    error_log /var/log/nginx/dev.domainhere.info.error.log;

    location / {
        try_files $uri $uri/ =404;
    }
}

Note: Replace dev.domainhere.info with actual domain name

Restart Nginx,

systemctl restart nginx

Obtain SSL Certificate with Certbot

Run Certbot to install and configure Let's Encrypt SSL automatically with Nginx,

certbot --nginx --agree-tos --redirect --hsts --staple-ocsp --email admin@test.com -d dev.domainhere.info

Note: Replace email address and domain with actual email and domain

You now have a complete LEMP stack on AlmaLinux 10, secured with Let's Encrypt SSL. Your website is live with HTTPS and strong security features like HSTS and OCSP stapling enabled. Always remember to renew your SSL certificate periodically using:

In this guide,

CrownCloud

Get a SSD powered KVM VPS at $4.5/month!

1 GB RAM / 25 GB SSD / 1 CPU Core / 1 TB Bandwidth per month

Use Code:

WELCOME

for 10% off!

Get Started Now!

CrownCloud - Get a SSD powered KVM VPS at $4.5/month!

Use the code `WELCOME` for 10% off!

1 GB RAM / 25 GB SSD / 1 CPU Core / 1 TB Bandwidth per month

Available Locations: LAX | MIA | ATL | FRA | AMS

Get Started Now!