How to secure Nginx with Let’s Encrypt certificate on Alpine Linux

Author: Last updated: July 6, 2020 1 comment
I already installed and setup regular Nginx based HTTP server on Alpine Linux. How do I configure Nginx web server with letsencrypt free SSL/TLS certificate?

Nginx is a free and open source web server. You need nginx to display static or dynamic web pages. Nginx can also act as a reverse proxy and load balancer. Let’s Encrypt is a free certificate authority that provides free X.509 certificates for Transport Layer Security (TLS) encryption.

This tutorial shows how to install Let’s Encrypt for nginx on Alpine Linux.

How to secure Nginx with Let’s Encrypt certificate on Alpine

Let us see all commands to configure and set up Let’s Encrypt SSL/TLS for nginx.

Step 1 – Installation

First, you need to install the following commands including openssl on Alpine Linux using apk command:
# apk add netcat-openbsd bc curl wget git bash openssl
Sample outputs:

(1/8) Installing bc (1.07.1-r0)
(2/8) Installing curl (7.61.1-r1)
(3/8) Installing expat (2.2.5-r0)
(4/8) Installing pcre2 (10.31-r0)
(5/8) Installing git (2.18.1-r0)
(6/8) Installing git-bash-completion (2.18.1-r0)
(7/8) Installing netcat-openbsd (1.130-r1)
(8/8) Installing wget (1.19.5-r0)
Executing busybox-1.28.4-r3.trigger
OK: 57 MiB in 69 packages

Also install libressl, run the following apk command:
# apk add libressl

(1/1) Installing libressl (2.7.4-r0)
Executing busybox-1.28.4-r3.trigger
OK: 57 MiB in 70 packages

Step 2 – Install acme.sh client

Type the following command to clone the acme.sh client, enter:
# cd /tmp/
# git clone https://github.com/Neilpang/acme.sh.git
Sample outputs:

Cloning into 'acme.sh'...
remote: Counting objects: 4762, done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 4762 (delta 2), reused 8 (delta 2), pack-reused 4754
Receiving objects: 100% (4762/4762), 1.69 MiB | 0 bytes/s, done.
Resolving deltas: 100% (2516/2516), done.

To install acme.sh client, enter:
# cd acme.sh/
# sudo -i
# ./acme.sh --install
Sample outputs:

[Sat Jul 29 11:20:29 GMT 2017] Installing to /root/.acme.sh
[Sat Jul 29 11:20:29 GMT 2017] Installed to /root/.acme.sh/acme.sh
[Sat Jul 29 11:20:29 GMT 2017] Installing alias to '/root/.bashrc'
[Sat Jul 29 11:20:29 GMT 2017] OK, Close and reopen your terminal to start using acme.sh
[Sat Jul 29 11:20:29 GMT 2017] Installing cron job
0   0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
[Sat Jul 29 11:20:29 GMT 2017] Good, bash is found, so change the shebang to use bash as preferred.
[Sat Jul 29 11:20:29 GMT 2017] OK

After install, you must close current terminal and reopen again to make the alias take effect. Or simply type the following command:
# source ~/.bashrc
Test it
# acme.sh

Step 3 – Create /.well-known/acme-challenge/ directory

Type the following command (set D to actual DocumentRoot path as per your setup):
# D=/var/www/localhost/htdocs
# mkdir -vp ${D}/.well-known/acme-challenge/
###---[ NOTE: Adjust permission as per your setup ]---###
# chown -R nginx:nginx ${D}/.well-known/acme-challenge/
# chmod -R 0555 ${D}/.well-known/acme-challenge/

Step 4 – Generate a global dhparam file

First, you must install libressl:
# apk install libressl
Next, type the following command to create a global dhparam file. Run:
# mkdir -p /etc/nginx/ssl/letsencrypt/newsletter.cyberciti.biz/
# cd /etc/nginx/ssl/letsencrypt/newsletter.cyberciti.biz/
# openssl dhparam -dsaparam -out dhparams.pem 4096

Step 4 – Issue a certificate for newsletter.cyberciti.biz domain

The syntax is:
# acme.sh --issue -w $D -d newsletter.cyberciti.biz -k 4096
Where,

  1. --issue : Issue a new certificate.
  2. -w /DocumentRootPath/ : Specifies the web root folder for web root mode.
  3. -d newsletter.cyberciti.biz : Specifies a domain, used to issue, renew or revoke etc. Can be used multiple times.
  4. -k 4096 : Specifies the domain key length.

Step 5 – Configure TLS/SSL on Nginx web server

Edit the following file:
# vi /etc/nginx/conf.d/ssl.newsletter.cyberciti.biz.conf 

## START: SSL/HTTPS newsletter.cyberciti.biz ###
server {                                        
    listen 443 http2;
    server_name newsletter.cyberciti.biz; 
    ssl on;
    ssl_certificate /etc/nginx/ssl/letsencrypt/newsletter.cyberciti.biz/newsletter.cyberciti.biz.cer;
    ssl_certificate_key /etc/nginx/ssl/letsencrypt/newsletter.cyberciti.biz/newsletter.cyberciti.biz.key;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
    ssl_dhparam /etc/nginx/ssl/letsencrypt/newsletter.cyberciti.biz/dhparams.pem;
    ssl_prefer_server_ciphers on;
 
    ## Improves TTFB by using a smaller SSL buffer than the nginx default
    ssl_buffer_size 8k;
 
    ## Enables OCSP stapling
    ssl_stapling on;
    resolver 8.8.8.8;
    ssl_stapling_verify on;
 
    ## Send header to tell the browser to prefer https to http traffic
    #add_header Strict-Transport-Security max-age=31536000;
 
    ## SSL logs ##
    access_log /var/log/nginx/newsletter.cyberciti.biz_ssl_access.log;
    error_log /var/log/nginx/newsletter.cyberciti.biz_ssl_error.log;
    #-------- END SSL config -------##
 
   root /var/www/localhost/htdocs;
   index         index.html index.htm index.php;
   server_name   newsletter.cyberciti.biz;
   # configure php
   location ~ \.php$ {
              fastcgi_pass      127.0.0.1:9000;
              fastcgi_index     index.php;
              include           fastcgi.conf;
    }
    # rest of your config ##
}                                               
## END SSL newsletter.cyberciti.biz ######

Install the issued certificate to Nginx web server

Type the following command:
# acme.sh --installcert -d newsletter.cyberciti.biz \
--keypath /etc/nginx/ssl/letsencrypt/newsletter.cyberciti.biz/newsletter.cyberciti.biz.key \
--fullchainpath /etc/nginx/ssl/letsencrypt/newsletter.cyberciti.biz/newsletter.cyberciti.biz.cer \
--reloadcmd '/etc/init.d/nginx restart'

Step 6 – Test it

Fire a web browser and type the following url:
https://newsletter.cyberciti.biz

A note about cron job

A cron job will try to do renewal a certificate for you too. This is installed by default as follows (no action required on your part):
# crontab -l
Sample job:

0 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

How do I renew a certificate manually?

Type the following command:
# acme.sh --renew -d newsletter.cyberciti.biz

How do I upgrade acme.sh client?

Type the following command to upgrade acme.sh client to the latest code from https://github.com/Neilpang/acme.sh
# acme.sh --upgrade 

[Thu Feb 13 19:39:07 UTC 2020] Installing from online archive.
[Thu Feb 13 19:39:07 UTC 2020] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
[Thu Feb 13 19:39:07 UTC 2020] Extracting master.tar.gz
[Thu Feb 13 19:39:07 UTC 2020] Installing to /root/.acme.sh
[Thu Feb 13 19:39:07 UTC 2020] Installed to /root/.acme.sh/acme.sh
[Thu Feb 13 19:39:07 UTC 2020] Good, bash is found, so change the shebang to use bash as preferred.
[Thu Feb 13 19:39:08 UTC 2020] OK
[Thu Feb 13 19:39:08 UTC 2020] Install success!
[Thu Feb 13 19:39:08 UTC 2020] Upgrade success!
This entry is 4 of 4 in the Installing Linux, Nginx, MySQL/MariaDB, PHP (LEMP stack) in Alpine Linux series. Keep reading the rest of the series:
  1. Install Nginx On Alpine Linux
  2. Install PHP7-fpm On Alpine Linux
  3. How to install and configure logrotate
  4. How to install Letsencrypt free SSL/TLS for Nginx certificate on Alpine Linux
This entry is 3 of 13 in the Secure Web Server with Let's Encrypt Tutorial series. Keep reading the rest of the series:
  1. Set up Lets Encrypt on Debian/Ubuntu Linux
  2. Secure Lighttpd with Lets Encrypt certificate on Debian/Ubuntu
  3. Configure Nginx with Lets Encrypt certificate on Alpine Linux
  4. Nginx with Lets Encrypt on CentOS 7
  5. Apache with Lets Encrypt Certificates on RHEL 8
  6. CentOS 8 and Apache with Lets Encrypt Certificates
  7. Install Lets Encrypt certificates on CentOS 8 for Nginx
  8. Forcefully renew Let's Encrypt certificate
  9. OpenSUSE Linux and Nginx with Let's Encrypt Certificates
  10. Configure Nginx to use TLS 1.2 / 1.3 only
  11. Let's Encrypt wildcard certificate with acme.sh and Cloudflare DNS
  12. Nginx with Let's Encrypt on Ubuntu 18.04 with DNS Validation
  13. AWS Route 53 Let's Encrypt wildcard certificate with acme.sh
🐧 If you liked this page, please support my work on Patreon or with a donation.
🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:
UP NEXT
CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
1 comment… add one
  • Sam from IT Sep 4, 2018 @ 7:05

    Thanks. Just set up Nginx as reverse proxy with letsencrypt. It was useful.

    Reply Link

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.

Next FAQ:

Previous FAQ: