How to secure Nginx with Let’s Encrypt certificate on Alpine Linux

last updated in Categories , , , ,

I already installed and setup regular Nginx based HTTP server on Alpine Linux. How do I configure Nginx web server with letsencrypt free SSL/TLS certificate?

Nginx is a free and open source web server. You need nginx to display static or dynamic web pages. Nginx can also act as a reverse proxy and load balancer. Let’s Encrypt is a free certificate authority that provides free X.509 certificates for Transport Layer Security (TLS) encryption.
Nginx SSL/TLS with Let us encrypt
This tutorial shows how to install Let’s Encrypt for nginx on Alpine Linux.

How to secure Nginx with Let’s Encrypt certificate on Alpine

Let us see all commands to configure and set up Let’s Encrypt SSL/TLS for nginx.

Step 1 – Installation

First, you need to install the following commands on Alpine Linux using apk command:
# apk add netcat-openbsd bc curl wget git bash
Sample outputs:

(1/8) Installing bc (1.07.1-r0)
(2/8) Installing curl (7.61.1-r1)
(3/8) Installing expat (2.2.5-r0)
(4/8) Installing pcre2 (10.31-r0)
(5/8) Installing git (2.18.1-r0)
(6/8) Installing git-bash-completion (2.18.1-r0)
(7/8) Installing netcat-openbsd (1.130-r1)
(8/8) Installing wget (1.19.5-r0)
Executing busybox-1.28.4-r3.trigger
OK: 57 MiB in 69 packages

Also install libressl, run the following apk command:
# apk add libressl

(1/1) Installing libressl (2.7.4-r0)
Executing busybox-1.28.4-r3.trigger
OK: 57 MiB in 70 packages

Step 2 – Install acme.sh client

Type the following command to clone the acme.sh client, enter:
# cd /tmp/
# git clone https://github.com/Neilpang/acme.sh.git
Sample outputs:

Cloning into 'acme.sh'...
remote: Counting objects: 4762, done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 4762 (delta 2), reused 8 (delta 2), pack-reused 4754
Receiving objects: 100% (4762/4762), 1.69 MiB | 0 bytes/s, done.
Resolving deltas: 100% (2516/2516), done.

To install acme.sh client, enter:
# cd acme.sh/
# sudo -i
# ./acme.sh --install
Sample outputs:

[Sat Jul 29 11:20:29 GMT 2017] Installing to /root/.acme.sh
[Sat Jul 29 11:20:29 GMT 2017] Installed to /root/.acme.sh/acme.sh
[Sat Jul 29 11:20:29 GMT 2017] Installing alias to '/root/.bashrc'
[Sat Jul 29 11:20:29 GMT 2017] OK, Close and reopen your terminal to start using acme.sh
[Sat Jul 29 11:20:29 GMT 2017] Installing cron job
0   0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
[Sat Jul 29 11:20:29 GMT 2017] Good, bash is found, so change the shebang to use bash as preferred.
[Sat Jul 29 11:20:29 GMT 2017] OK

After install, you must close current terminal and reopen again to make the alias take effect. Or simply type the following command:
# source ~/.bashrc
Test it
# acme.sh

Step 3 – Create /.well-known/acme-challenge/ directory

Type the following command (set D to actual DocumentRoot path as per your setup):
# D=/var/www/localhost/htdocs
# mkdir -vp ${D}/.well-known/acme-challenge/
###---[ NOTE: Adjust permission as per your setup ]---###
# chown -R nginx:nginx ${D}/.well-known/acme-challenge/
# chmod -R 0555 ${D}/.well-known/acme-challenge/

Step 4 – Generate a global dhparam file

First, you must install libressl:
# apk install libressl
Next, type the following command to create a global dhparam file. Run:
# mkdir -p /etc/nginx/ssl/letsencrypt/newsletter.cyberciti.biz/
# cd /etc/nginx/ssl/letsencrypt/newsletter.cyberciti.biz/
# openssl dhparam -dsaparam -out dhparams.pem 4096

Step 4 – Issue a certificate for newsletter.cyberciti.biz domain

The syntax is:
# acme.sh --issue -w $D -d newsletter.cyberciti.biz -k 4096
Where,

  1. --issue : Issue a new certificate.
  2. -w /DocumentRootPath/ : Specifies the web root folder for web root mode.
  3. -d newsletter.cyberciti.biz : Specifies a domain, used to issue, renew or revoke etc. Can be used multiple times.
  4. -k 4096 : Specifies the domain key length.

Step 5 – Configure TLS/SSL on Nginx web server

Edit the following file:
# vi /etc/nginx/conf.d/ssl.newsletter.cyberciti.biz.conf 

## START: SSL/HTTPS newsletter.cyberciti.biz ###
server {                                        
    listen 443 http2;
    server_name newsletter.cyberciti.biz; 
    ssl on;
    ssl_certificate /etc/nginx/ssl/letsencrypt/newsletter.cyberciti.biz/newsletter.cyberciti.biz.cer;
    ssl_certificate_key /etc/nginx/ssl/letsencrypt/newsletter.cyberciti.biz/newsletter.cyberciti.biz.key;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
    ssl_dhparam /etc/nginx/ssl/letsencrypt/newsletter.cyberciti.biz/dhparams.pem;
    ssl_prefer_server_ciphers on;
 
    ## Improves TTFB by using a smaller SSL buffer than the nginx default
    ssl_buffer_size 8k;
 
    ## Enables OCSP stapling
    ssl_stapling on;
    resolver 8.8.8.8;
    ssl_stapling_verify on;
 
    ## Send header to tell the browser to prefer https to http traffic
    #add_header Strict-Transport-Security max-age=31536000;
 
    ## SSL logs ##
    access_log /var/log/nginx/newsletter.cyberciti.biz_ssl_access.log;
    error_log /var/log/nginx/newsletter.cyberciti.biz_ssl_error.log;
    #-------- END SSL config -------##
 
   root /var/www/localhost/htdocs;
   index         index.html index.htm index.php;
   server_name   newsletter.cyberciti.biz;
   # configure php
   location ~ \.php$ {
              fastcgi_pass      127.0.0.1:9000;
              fastcgi_index     index.php;
              include           fastcgi.conf;
    }
    # rest of your config ##
}                                               
## END SSL newsletter.cyberciti.biz ######

Install the issued certificate to Nginx web server

Type the following command:
# acme.sh --installcert -d newsletter.cyberciti.biz \
--keypath /etc/nginx/ssl/letsencrypt/newsletter.cyberciti.biz/newsletter.cyberciti.biz.key \
--fullchainpath /etc/nginx/ssl/letsencrypt/newsletter.cyberciti.biz/newsletter.cyberciti.biz.cer \
--reloadcmd '/etc/init.d/nginx restart'

Step 6 – Test it

Fire a web browser and type the following url:
https://newsletter.cyberciti.biz

A note about cron job

A cron job will try to do renewal a certificate for you too. This is installed by default as follows (no action required on your part):
# crontab -l
Sample job:

0 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

How do I renew a certificate manually?

Type the following command:
# acme.sh --renew -d newsletter.cyberciti.biz

How do I upgrade acme.sh client?

Type the following command to upgrade acme.sh client to the latest code from https://github.com/Neilpang/acme.sh
# acme.sh --upgrade

This entry is 4 of 4 in the Installing Linux, Nginx, MySQL/MariaDB, PHP (LEMP stack) in Alpine Linux series. Keep reading the rest of the series:
  1. Install Nginx On Alpine Linux
  2. Install PHP7-fpm On Alpine Linux
  3. How to install and configure logrotate
  4. How to install Letsencrypt free SSL/TLS for Nginx certificate on Alpine Linux

This entry is 3 of 6 in the Secure Web Server with Let's Encrypt Tutorial series. Keep reading the rest of the series:
  1. Set up Lets Encrypt on Debian/Ubuntu Linux
  2. Secure Lighttpd with Lets Encrypt certificate on Debian/Ubuntu
  3. Configure Nginx with Lets Encrypt certificate on Alpine Linux
  4. Nginx with Lets Encrypt on CentOS 7
  5. Apache with Lets Encrypt Certificates on RHEL 8
  6. CentOS 8 and Apache with Lets Encrypt Certificates

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

Start the discussion at www.nixcraft.com

Historical Comment Archive

1 comment

    Still, have a question? Get help on our forum!

Tagged as: Tags