Nginx is a free and open source web server. You need nginx to display static or dynamic web pages. Nginx can also act as a reverse proxy and load balancer. Let’s Encrypt is a free certificate authority that provides free X.509 certificates for Transport Layer Security (TLS) encryption.
This tutorial shows how to install Let’s Encrypt for nginx on Alpine Linux.
How to secure Nginx with Let’s Encrypt certificate on Alpine
Let us see all commands to configure and set up Let’s Encrypt SSL/TLS for nginx.
Step 1 – Installation
First, you need to install the following commands including openssl on Alpine Linux using apk command:
# apk add netcat-openbsd bc curl wget git bash openssl
Sample outputs:
(1/8) Installing bc (1.07.1-r0) (2/8) Installing curl (7.61.1-r1) (3/8) Installing expat (2.2.5-r0) (4/8) Installing pcre2 (10.31-r0) (5/8) Installing git (2.18.1-r0) (6/8) Installing git-bash-completion (2.18.1-r0) (7/8) Installing netcat-openbsd (1.130-r1) (8/8) Installing wget (1.19.5-r0) Executing busybox-1.28.4-r3.trigger OK: 57 MiB in 69 packages
Also install libressl, run the following apk command:
# apk add libressl
(1/1) Installing libressl (2.7.4-r0) Executing busybox-1.28.4-r3.trigger OK: 57 MiB in 70 packages
Step 2 – Install acme.sh client
Type the following command to clone the acme.sh client, enter:
# cd /tmp/
# git clone https://github.com/Neilpang/acme.sh.git
Sample outputs:
Cloning into 'acme.sh'... remote: Counting objects: 4762, done. remote: Compressing objects: 100% (6/6), done. remote: Total 4762 (delta 2), reused 8 (delta 2), pack-reused 4754 Receiving objects: 100% (4762/4762), 1.69 MiB | 0 bytes/s, done. Resolving deltas: 100% (2516/2516), done.
To install acme.sh client, enter:
# cd acme.sh/
# sudo -i
# ./acme.sh --install
Sample outputs:
[Sat Jul 29 11:20:29 GMT 2017] Installing to /root/.acme.sh [Sat Jul 29 11:20:29 GMT 2017] Installed to /root/.acme.sh/acme.sh [Sat Jul 29 11:20:29 GMT 2017] Installing alias to '/root/.bashrc' [Sat Jul 29 11:20:29 GMT 2017] OK, Close and reopen your terminal to start using acme.sh [Sat Jul 29 11:20:29 GMT 2017] Installing cron job 0 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null [Sat Jul 29 11:20:29 GMT 2017] Good, bash is found, so change the shebang to use bash as preferred. [Sat Jul 29 11:20:29 GMT 2017] OK
After install, you must close current terminal and reopen again to make the alias take effect. Or simply type the following command:
# source ~/.bashrc
Test it
# acme.sh
Step 3 – Create /.well-known/acme-challenge/ directory
Type the following command (set D to actual DocumentRoot path as per your setup):
# D=/var/www/localhost/htdocs
# mkdir -vp ${D}/.well-known/acme-challenge/
###---[ NOTE: Adjust permission as per your setup ]---###
# chown -R nginx:nginx ${D}/.well-known/acme-challenge/
# chmod -R 0555 ${D}/.well-known/acme-challenge/
Step 4 – Generate a global dhparam file
First, you must install libressl:
# apk install libressl
Next, type the following command to create a global dhparam file. Run:
# mkdir -p /etc/nginx/ssl/letsencrypt/newsletter.cyberciti.biz/
# cd /etc/nginx/ssl/letsencrypt/newsletter.cyberciti.biz/
# openssl dhparam -dsaparam -out dhparams.pem 4096
Step 4 – Issue a certificate for newsletter.cyberciti.biz domain
The syntax is:
# acme.sh --issue -w $D -d newsletter.cyberciti.biz -k 4096
Where,
- --issue : Issue a new certificate.
- -w /DocumentRootPath/ : Specifies the web root folder for web root mode.
- -d newsletter.cyberciti.biz : Specifies a domain, used to issue, renew or revoke etc. Can be used multiple times.
- -k 4096 : Specifies the domain key length.
Step 5 – Configure TLS/SSL on Nginx web server
Edit the following file:
# vi /etc/nginx/conf.d/ssl.newsletter.cyberciti.biz.conf
## START: SSL/HTTPS newsletter.cyberciti.biz ### server { listen 443 http2; server_name newsletter.cyberciti.biz; ssl on; ssl_certificate /etc/nginx/ssl/letsencrypt/newsletter.cyberciti.biz/newsletter.cyberciti.biz.cer; ssl_certificate_key /etc/nginx/ssl/letsencrypt/newsletter.cyberciti.biz/newsletter.cyberciti.biz.key; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS; ssl_dhparam /etc/nginx/ssl/letsencrypt/newsletter.cyberciti.biz/dhparams.pem; ssl_prefer_server_ciphers on; ## Improves TTFB by using a smaller SSL buffer than the nginx default ssl_buffer_size 8k; ## Enables OCSP stapling ssl_stapling on; resolver 8.8.8.8; ssl_stapling_verify on; ## Send header to tell the browser to prefer https to http traffic #add_header Strict-Transport-Security max-age=31536000; ## SSL logs ## access_log /var/log/nginx/newsletter.cyberciti.biz_ssl_access.log; error_log /var/log/nginx/newsletter.cyberciti.biz_ssl_error.log; #-------- END SSL config -------## root /var/www/localhost/htdocs; index index.html index.htm index.php; server_name newsletter.cyberciti.biz; # configure php location ~ \.php$ { fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; include fastcgi.conf; } # rest of your config ## } ## END SSL newsletter.cyberciti.biz ######
Install the issued certificate to Nginx web server
Type the following command:
# acme.sh --installcert -d newsletter.cyberciti.biz \
--keypath /etc/nginx/ssl/letsencrypt/newsletter.cyberciti.biz/newsletter.cyberciti.biz.key \
--fullchainpath /etc/nginx/ssl/letsencrypt/newsletter.cyberciti.biz/newsletter.cyberciti.biz.cer \
--reloadcmd '/etc/init.d/nginx restart'
Step 6 – Test it
Fire a web browser and type the following url:
https://newsletter.cyberciti.biz
A note about cron job
A cron job will try to do renewal a certificate for you too. This is installed by default as follows (no action required on your part):
# crontab -l
Sample job:
0 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
How do I renew a certificate manually?
Type the following command:
# acme.sh --renew -d newsletter.cyberciti.biz
How do I upgrade acme.sh client?
Type the following command to upgrade acme.sh client to the latest code from https://github.com/Neilpang/acme.sh
# acme.sh --upgrade
[Thu Feb 13 19:39:07 UTC 2020] Installing from online archive. [Thu Feb 13 19:39:07 UTC 2020] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz [Thu Feb 13 19:39:07 UTC 2020] Extracting master.tar.gz [Thu Feb 13 19:39:07 UTC 2020] Installing to /root/.acme.sh [Thu Feb 13 19:39:07 UTC 2020] Installed to /root/.acme.sh/acme.sh [Thu Feb 13 19:39:07 UTC 2020] Good, bash is found, so change the shebang to use bash as preferred. [Thu Feb 13 19:39:08 UTC 2020] OK [Thu Feb 13 19:39:08 UTC 2020] Install success! [Thu Feb 13 19:39:08 UTC 2020] Upgrade success!
- Install Nginx On Alpine Linux
- Install PHP7-fpm On Alpine Linux
- How to install and configure logrotate
- How to install Letsencrypt free SSL/TLS for Nginx certificate on Alpine Linux
- Set up Lets Encrypt on Debian/Ubuntu Linux
- Secure Lighttpd with Lets Encrypt certificate on Debian/Ubuntu
- Configure Nginx with Lets Encrypt certificate on Alpine Linux
- Nginx with Lets Encrypt on CentOS 7
- Apache with Lets Encrypt Certificates on RHEL 8
- CentOS 8 and Apache with Lets Encrypt Certificates
- Install Lets Encrypt certificates on CentOS 8 for Nginx
- Forcefully renew Let's Encrypt certificate
- OpenSUSE Linux and Nginx with Let's Encrypt Certificates
- Configure Nginx to use TLS 1.2 / 1.3 only
- Let's Encrypt wildcard certificate with acme.sh and Cloudflare DNS
- Nginx with Let's Encrypt on Ubuntu 18.04 with DNS Validation
- AWS Route 53 Let's Encrypt wildcard certificate with acme.sh
🐧 1 comment so far... add one ↓
Category | List of Unix and Linux commands |
---|---|
File Management | cat |
Firewall | Alpine Awall • CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04 |
Network Utilities | dig • host • ip • nmap |
OpenVPN | CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04 |
Package Manager | apk • apt |
Processes Management | bg • chroot • cron • disown • fg • jobs • killall • kill • pidof • pstree • pwdx • time |
Searching | grep • whereis • which |
User Information | groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w |
WireGuard VPN | Alpine • CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04 |
Thanks. Just set up Nginx as reverse proxy with letsencrypt. It was useful.