Nginx is a free and open source web server. You need nginx to display static or dynamic web pages. Nginx can also act as a reverse proxy and load balancer. Let’s Encrypt is a free certificate authority that provides free X.509 certificates for Transport Layer Security (TLS) encryption.
This tutorial shows how to install Let’s Encrypt for nginx on Alpine Linux.
Step 1 – Installation
First, you need to install the following commands on Alpine Linux using apk command:
# apk add netcat-openbsd bc curl wget git bash
Sample outputs:
(1/8) Installing bc (1.06.95-r2) (2/8) Installing curl (7.54.0-r0) (3/8) Installing expat (2.2.0-r1) (4/8) Installing git (2.13.0-r0) (5/8) Installing git-bash-completion (2.13.0-r0) (6/8) Installing libbsd (0.8.3-r3) (7/8) Installing netcat-openbsd (1.130-r1) (8/8) Installing wget (1.19.1-r2) Executing busybox-1.26.2-r5.trigger OK: 106 MiB in 59 packages
Step 2 – Install acme.sh client
Type the following command to clone the acme.sh client, enter:
# cd /tmp/
# git clone https://github.com/Neilpang/acme.sh.git
Sample outputs:
Cloning into 'acme.sh'... remote: Counting objects: 4762, done. remote: Compressing objects: 100% (6/6), done. remote: Total 4762 (delta 2), reused 8 (delta 2), pack-reused 4754 Receiving objects: 100% (4762/4762), 1.69 MiB | 0 bytes/s, done. Resolving deltas: 100% (2516/2516), done.
To install acme.sh client, enter:
# cd acme.sh/
# sudo -i
# ./acme.sh --install
Sample outputs:
[Sat Jul 29 11:20:29 GMT 2017] Installing to /root/.acme.sh [Sat Jul 29 11:20:29 GMT 2017] Installed to /root/.acme.sh/acme.sh [Sat Jul 29 11:20:29 GMT 2017] Installing alias to '/root/.bashrc' [Sat Jul 29 11:20:29 GMT 2017] OK, Close and reopen your terminal to start using acme.sh [Sat Jul 29 11:20:29 GMT 2017] Installing cron job 0 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null [Sat Jul 29 11:20:29 GMT 2017] Good, bash is found, so change the shebang to use bash as preferred. [Sat Jul 29 11:20:29 GMT 2017] OK |
After install, you must close current terminal and reopen again to make the alias take effect. Or simply type the following command:
# source ~/.bashrc
Test it
# acme.sh
Step 3 – Create /.well-known/acme-challenge/ directory
Type the following command (set D to actual DocumentRoot path as per your setup):
# D=/var/www/localhost/htdocs
# mkdir -vp ${D}/.well-known/acme-challenge/
###---[ NOTE: Adjust permission as per your setup ]---###
# chown -R nginx:nginx ${D}/.well-known/acme-challenge/
# chmod -R 0555 ${D}/.well-known/acme-challenge/
Step 4 – Generate a global dhparam file
First, you must install libressl:
# apk install libressl
Next, type the following command to create a global dhparam file. Run:
# mkdir -p /etc/nginx/ssl/letsencrypt/newsletter.cyberciti.biz/
# cd /etc/nginx/ssl/letsencrypt/newsletter.cyberciti.biz/
# openssl dhparam -dsaparam -out dhparams.pem 4096
Step 4 – Issue a certificate for newsletter.cyberciti.biz domain
The syntax is:
# acme.sh --issue -w $D -d newsletter.cyberciti.biz -k 4096
Where,
- --issue : Issue a new certificate.
- -w /DocumentRootPath/ : Specifies the web root folder for web root mode.
- -d newsletter.cyberciti.biz : Specifies a domain, used to issue, renew or revoke etc. Can be used multiple times.
- -k 4096 : Specifies the domain key length.
Step 5 – Configure TLS/SSL on Nginx web server
Edit the following file:
# vi /etc/nginx/conf.d/ssl.newsletter.cyberciti.biz.conf
## START: SSL/HTTPS newsletter.cyberciti.biz ### server { listen 443 http2; server_name newsletter.cyberciti.biz; ssl on; ssl_certificate /etc/nginx/ssl/letsencrypt/newsletter.cyberciti.biz/newsletter.cyberciti.biz.cer; ssl_certificate_key /etc/nginx/ssl/letsencrypt/newsletter.cyberciti.biz/newsletter.cyberciti.biz.key; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS; ssl_dhparam /etc/nginx/ssl/letsencrypt/newsletter.cyberciti.biz/dhparams.pem; ssl_prefer_server_ciphers on; ## Improves TTFB by using a smaller SSL buffer than the nginx default ssl_buffer_size 8k; ## Enables OCSP stapling ssl_stapling on; resolver 8.8.8.8; ssl_stapling_verify on; ## Send header to tell the browser to prefer https to http traffic #add_header Strict-Transport-Security max-age=31536000; ## SSL logs ## access_log /var/log/nginx/newsletter.cyberciti.biz_ssl_access.log; error_log /var/log/nginx/newsletter.cyberciti.biz_ssl_error.log; #-------- END SSL config -------## root /var/www/localhost/htdocs; index index.html index.htm index.php; server_name newsletter.cyberciti.biz; # configure php location ~ \.php$ { fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; include fastcgi.conf; } # rest of your config ## } ## END SSL newsletter.cyberciti.biz ###### |
Install the issued certificate to Nginx web server
Type the following command:
# acme.sh --installcert -d newsletter.cyberciti.biz \
--keypath /etc/nginx/ssl/letsencrypt/newsletter.cyberciti.biz/newsletter.cyberciti.biz.key \
--fullchainpath /etc/nginx/ssl/letsencrypt/newsletter.cyberciti.biz/newsletter.cyberciti.biz.cer \
--reloadcmd '/etc/init.d/nginx restart'
Step 6 – Test it
Fire a web browser and type the following url:
https://newsletter.cyberciti.biz
A note about cron job
A cron job will try to do renewal a certificate for you too. This is installed by default as follows (no action required on your part):
# crontab -l
Sample job:
0 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
How do I renew a certificate manually?
Type the following command:
# acme.sh --renew -d newsletter.cyberciti.biz
How do I upgrade acme.sh client?
Type the following command to upgrade acme.sh client to the latest code from https://github.com/Neilpang/acme.sh
# acme.sh --upgrade
- Install Nginx On Alpine Linux
- Install PHP7-fpm On Alpine Linux
- How to install and configure logrotate
- How to install Letsencrypt free SSL/TLS for Nginx certificate on Alpine Linux