How to secure Nginx with Let’s Encrypt certificate on Alpine Linux

last updated in Categories , , , ,

I already installed and setup regular Nginx based HTTP server on Alpine Linux. How do I configure Nginx web server with letsencrypt free SSL/TLS certificate?

Nginx is a free and open source web server. You need nginx to display static or dynamic web pages. Nginx can also act as a reverse proxy and load balancer. Let’s Encrypt is a free certificate authority that provides free X.509 certificates for Transport Layer Security (TLS) encryption.
Nginx SSL/TLS with Let us encrypt
This tutorial shows how to install Let’s Encrypt for nginx on Alpine Linux.

Step 1 – Installation

First, you need to install the following commands on Alpine Linux using apk command:
# apk add netcat-openbsd bc curl wget git bash
Sample outputs:

(1/8) Installing bc (1.06.95-r2)
(2/8) Installing curl (7.54.0-r0)
(3/8) Installing expat (2.2.0-r1)
(4/8) Installing git (2.13.0-r0)
(5/8) Installing git-bash-completion (2.13.0-r0)
(6/8) Installing libbsd (0.8.3-r3)
(7/8) Installing netcat-openbsd (1.130-r1)
(8/8) Installing wget (1.19.1-r2)
Executing busybox-1.26.2-r5.trigger
OK: 106 MiB in 59 packages

Step 2 – Install acme.sh client

Type the following command to clone the acme.sh client, enter:
# cd /tmp/
# git clone https://github.com/Neilpang/acme.sh.git
Sample outputs:

Cloning into 'acme.sh'...
remote: Counting objects: 4762, done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 4762 (delta 2), reused 8 (delta 2), pack-reused 4754
Receiving objects: 100% (4762/4762), 1.69 MiB | 0 bytes/s, done.
Resolving deltas: 100% (2516/2516), done.

To install acme.sh client, enter:
# cd acme.sh/
# sudo -i
# ./acme.sh --install
Sample outputs:

[Sat Jul 29 11:20:29 GMT 2017] Installing to /root/.acme.sh
[Sat Jul 29 11:20:29 GMT 2017] Installed to /root/.acme.sh/acme.sh
[Sat Jul 29 11:20:29 GMT 2017] Installing alias to '/root/.bashrc'
[Sat Jul 29 11:20:29 GMT 2017] OK, Close and reopen your terminal to start using acme.sh
[Sat Jul 29 11:20:29 GMT 2017] Installing cron job
0   0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
[Sat Jul 29 11:20:29 GMT 2017] Good, bash is found, so change the shebang to use bash as preferred.
[Sat Jul 29 11:20:29 GMT 2017] OK

After install, you must close current terminal and reopen again to make the alias take effect. Or simply type the following command:
# source ~/.bashrc
Test it
# acme.sh

Step 3 – Create /.well-known/acme-challenge/ directory

Type the following command (set D to actual DocumentRoot path as per your setup):
# D=/var/www/localhost/htdocs
# mkdir -vp ${D}/.well-known/acme-challenge/
###---[ NOTE: Adjust permission as per your setup ]---###
# chown -R nginx:nginx ${D}/.well-known/acme-challenge/
# chmod -R 0555 ${D}/.well-known/acme-challenge/

Step 4 – Generate a global dhparam file

First, you must install libressl:
# apk install libressl
Next, type the following command to create a global dhparam file. Run:
# mkdir -p /etc/nginx/ssl/letsencrypt/newsletter.cyberciti.biz/
# cd /etc/nginx/ssl/letsencrypt/newsletter.cyberciti.biz/
# openssl dhparam -dsaparam -out dhparams.pem 4096

Step 4 – Issue a certificate for newsletter.cyberciti.biz domain

The syntax is:
# acme.sh --issue -w $D -d newsletter.cyberciti.biz -k 4096
Where,

  1. --issue : Issue a new certificate.
  2. -w /DocumentRootPath/ : Specifies the web root folder for web root mode.
  3. -d newsletter.cyberciti.biz : Specifies a domain, used to issue, renew or revoke etc. Can be used multiple times.
  4. -k 4096 : Specifies the domain key length.

Step 5 – Configure TLS/SSL on Nginx web server

Edit the following file:
# vi /etc/nginx/conf.d/ssl.newsletter.cyberciti.biz.conf 

## START: SSL/HTTPS newsletter.cyberciti.biz ###
server {                                        
    listen 443 http2;
    server_name newsletter.cyberciti.biz; 
    ssl on;
    ssl_certificate /etc/nginx/ssl/letsencrypt/newsletter.cyberciti.biz/newsletter.cyberciti.biz.cer;
    ssl_certificate_key /etc/nginx/ssl/letsencrypt/newsletter.cyberciti.biz/newsletter.cyberciti.biz.key;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
    ssl_dhparam /etc/nginx/ssl/letsencrypt/newsletter.cyberciti.biz/dhparams.pem;
    ssl_prefer_server_ciphers on;
 
    ## Improves TTFB by using a smaller SSL buffer than the nginx default
    ssl_buffer_size 8k;
 
    ## Enables OCSP stapling
    ssl_stapling on;
    resolver 8.8.8.8;
    ssl_stapling_verify on;
 
    ## Send header to tell the browser to prefer https to http traffic
    #add_header Strict-Transport-Security max-age=31536000;
 
    ## SSL logs ##
    access_log /var/log/nginx/newsletter.cyberciti.biz_ssl_access.log;
    error_log /var/log/nginx/newsletter.cyberciti.biz_ssl_error.log;
    #-------- END SSL config -------##
 
   root /var/www/localhost/htdocs;
   index         index.html index.htm index.php;
   server_name   newsletter.cyberciti.biz;
   # configure php
   location ~ \.php$ {
              fastcgi_pass      127.0.0.1:9000;
              fastcgi_index     index.php;
              include           fastcgi.conf;
    }
    # rest of your config ##
}                                               
## END SSL newsletter.cyberciti.biz ######

Install the issued certificate to Nginx web server

Type the following command:
# acme.sh --installcert -d newsletter.cyberciti.biz \
--keypath /etc/nginx/ssl/letsencrypt/newsletter.cyberciti.biz/newsletter.cyberciti.biz.key \
--fullchainpath /etc/nginx/ssl/letsencrypt/newsletter.cyberciti.biz/newsletter.cyberciti.biz.cer \
--reloadcmd '/etc/init.d/nginx restart'

Step 6 – Test it

Fire a web browser and type the following url:
https://newsletter.cyberciti.biz

A note about cron job

A cron job will try to do renewal a certificate for you too. This is installed by default as follows (no action required on your part):
# crontab -l
Sample job:

0 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

How do I renew a certificate manually?

Type the following command:
# acme.sh --renew -d newsletter.cyberciti.biz

How do I upgrade acme.sh client?

Type the following command to upgrade acme.sh client to the latest code from https://github.com/Neilpang/acme.sh
# acme.sh --upgrade

This entry is 4 of 4 in the Installing Linux, Nginx, MySQL/MariaDB, PHP (LEMP stack) in Alpine Linux series. Keep reading the rest of the series:
  1. Install Nginx On Alpine Linux
  2. Install PHP7-fpm On Alpine Linux
  3. How to install and configure logrotate
  4. How to install Letsencrypt free SSL/TLS for Nginx certificate on Alpine Linux

This entry is 3 of 4 in the Secure Web Server with Let's Encrypt Tutorial series. Keep reading the rest of the series:
  1. How to configure Nginx with Let's Encrypt on Debian/Ubuntu Linux
  2. How to secure Lighttpd with Let's Encrypt certificate on Debian/Ubuntu
  3. How to secure Nginx with Let's Encrypt certificate on Alpine Linux
  4. How to configure Nginx with Let's Encrypt on CentOS 7

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

Tagged as: Tags