How to secure Nginx with Let’s Encrypt certificate on Alpine Linux

last updated in Categories , , , ,

I already installed and setup regular Nginx based HTTP server on Alpine Linux. How do I configure Nginx web server with letsencrypt free SSL/TLS certificate?

Nginx is a free and open source web server. You need nginx to display static or dynamic web pages. Nginx can also act as a reverse proxy and load balancer. Let’s Encrypt is a free certificate authority that provides free X.509 certificates for Transport Layer Security (TLS) encryption.
Nginx SSL/TLS with Let us encrypt
This tutorial shows how to install Let’s Encrypt for nginx on Alpine Linux.

Step 1 – Installation

First, you need to install the following commands on Alpine Linux using apk command:
# apk add netcat-openbsd bc curl wget git bash
Sample outputs:

(1/8) Installing bc (1.06.95-r2)
(2/8) Installing curl (7.54.0-r0)
(3/8) Installing expat (2.2.0-r1)
(4/8) Installing git (2.13.0-r0)
(5/8) Installing git-bash-completion (2.13.0-r0)
(6/8) Installing libbsd (0.8.3-r3)
(7/8) Installing netcat-openbsd (1.130-r1)
(8/8) Installing wget (1.19.1-r2)
Executing busybox-1.26.2-r5.trigger
OK: 106 MiB in 59 packages

Step 2 – Install client

Type the following command to clone the client, enter:
# cd /tmp/
# git clone

Sample outputs:

Cloning into ''...
remote: Counting objects: 4762, done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 4762 (delta 2), reused 8 (delta 2), pack-reused 4754
Receiving objects: 100% (4762/4762), 1.69 MiB | 0 bytes/s, done.
Resolving deltas: 100% (2516/2516), done.

To install client, enter:
# cd
# sudo -i
# ./ --install

Sample outputs:

[Sat Jul 29 11:20:29 GMT 2017] Installing to /root/
[Sat Jul 29 11:20:29 GMT 2017] Installed to /root/
[Sat Jul 29 11:20:29 GMT 2017] Installing alias to '/root/.bashrc'
[Sat Jul 29 11:20:29 GMT 2017] OK, Close and reopen your terminal to start using
[Sat Jul 29 11:20:29 GMT 2017] Installing cron job
0   0 * * * "/root/"/ --cron --home "/root/" > /dev/null
[Sat Jul 29 11:20:29 GMT 2017] Good, bash is found, so change the shebang to use bash as preferred.
[Sat Jul 29 11:20:29 GMT 2017] OK

After install, you must close current terminal and reopen again to make the alias take effect. Or simply type the following command:
# source ~/.bashrc
Test it

Step 3 – Create /.well-known/acme-challenge/ directory

Type the following command (set D to actual DocumentRoot path as per your setup):
# D=/var/www/localhost/htdocs
# mkdir -vp ${D}/.well-known/acme-challenge/
###---[ NOTE: Adjust permission as per your setup ]---###
# chown -R nginx:nginx ${D}/.well-known/acme-challenge/
# chmod -R 0555 ${D}/.well-known/acme-challenge/

Step 4 – Generate a global dhparam file

First, you must install libressl:
# apk install libressl
Next, type the following command to create a global dhparam file. Run:
# mkdir -p /etc/nginx/ssl/letsencrypt/
# cd /etc/nginx/ssl/letsencrypt/
# openssl dhparam -dsaparam -out dhparams.pem 4096

Step 4 – Issue a certificate for domain

The syntax is:
# --issue -w $D -d -k 4096

  1. --issue : Issue a new certificate.
  2. -w /DocumentRootPath/ : Specifies the web root folder for web root mode.
  3. -d : Specifies a domain, used to issue, renew or revoke etc. Can be used multiple times.
  4. -k 4096 : Specifies the domain key length.

Step 5 – Configure TLS/SSL on Nginx web server

Edit the following file:
# vi /etc/nginx/conf.d/

server {                                        
    listen 443 http2;
    ssl on;
    ssl_certificate /etc/nginx/ssl/letsencrypt/;
    ssl_certificate_key /etc/nginx/ssl/letsencrypt/;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_dhparam /etc/nginx/ssl/letsencrypt/;
    ssl_prefer_server_ciphers on;
    ## Improves TTFB by using a smaller SSL buffer than the nginx default
    ssl_buffer_size 8k;
    ## Enables OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    ## Send header to tell the browser to prefer https to http traffic
    #add_header Strict-Transport-Security max-age=31536000;
    ## SSL logs ##
    access_log /var/log/nginx/newsletter.cyberciti.biz_ssl_access.log;
    error_log /var/log/nginx/newsletter.cyberciti.biz_ssl_error.log;
    #-------- END SSL config -------##
   root /var/www/localhost/htdocs;
   index         index.html index.htm index.php;
   # configure php
   location ~ \.php$ {
              fastcgi_index     index.php;
              include           fastcgi.conf;
    # rest of your config ##
## END SSL ######

Install the issued certificate to Nginx web server

Type the following command:
# --installcert -d \
--keypath /etc/nginx/ssl/letsencrypt/ \
--fullchainpath /etc/nginx/ssl/letsencrypt/ \
--reloadcmd '/etc/init.d/nginx restart'

Step 6 – Test it

Fire a web browser and type the following url:

A note about cron job

A cron job will try to do renewal a certificate for you too. This is installed by default as follows (no action required on your part):
# crontab -l
Sample job:

0 0 * * * "/root/"/ --cron --home "/root/" > /dev/null

How do I renew a certificate manually?

Type the following command:
# --renew -d

How do I upgrade client?

Type the following command to upgrade client to the latest code from
# --upgrade

This entry is 4 of 4 in the Installing Linux, Nginx, MySQL/MariaDB, PHP (LEMP stack) in Alpine Linux series. Keep reading the rest of the series:
  1. Install Nginx On Alpine Linux
  2. Install PHP7-fpm On Alpine Linux
  3. How to install and configure logrotate
  4. How to install Letsencrypt free SSL/TLS for Nginx certificate on Alpine Linux

This entry is 3 of 4 in the Secure Web Server with Let's Encrypt Tutorial series. Keep reading the rest of the series:
  1. How to configure Nginx with Let's Encrypt on Debian/Ubuntu Linux
  2. How to secure Lighttpd with Let's Encrypt certificate on Debian/Ubuntu
  3. How to secure Nginx with Let's Encrypt certificate on Alpine Linux
  4. How to configure Nginx with Let's Encrypt on CentOS 7

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.