How to secure Nginx with Let’s Encrypt certificate on Alpine Linux

I already installed and setup regular Nginx based HTTP server on Alpine Linux. How do I configure Nginx web server with letsencrypt free SSL/TLS certificate?

Nginx is a free and open source web server. You need nginx to display static or dynamic web pages. Nginx can also act as a reverse proxy and load balancer. Let’s Encrypt is a free certificate authority that provides free X.509 certificates for Transport Layer Security (TLS) encryption.

This tutorial shows how to install Let’s Encrypt for nginx on Alpine Linux.

How to secure Nginx with Let’s Encrypt certificate on Alpine

Let us see all commands to configure and set up Let’s Encrypt SSL/TLS for nginx.

Step 1 – Installation

First, you need to install the following commands including openssl on Alpine Linux using apk command:
# apk add netcat-openbsd bc curl wget git bash openssl
Sample outputs:

(1/8) Installing bc (1.07.1-r0)
(2/8) Installing curl (7.61.1-r1)
(3/8) Installing expat (2.2.5-r0)
(4/8) Installing pcre2 (10.31-r0)
(5/8) Installing git (2.18.1-r0)
(6/8) Installing git-bash-completion (2.18.1-r0)
(7/8) Installing netcat-openbsd (1.130-r1)
(8/8) Installing wget (1.19.5-r0)
Executing busybox-1.28.4-r3.trigger
OK: 57 MiB in 69 packages

Also install libressl, run the following apk command:
# apk add libressl

(1/1) Installing libressl (2.7.4-r0)
Executing busybox-1.28.4-r3.trigger
OK: 57 MiB in 70 packages

Step 2 – Install client

Type the following command to clone the client, enter:
# cd /tmp/
# git clone

Sample outputs:

Cloning into ''...
remote: Counting objects: 4762, done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 4762 (delta 2), reused 8 (delta 2), pack-reused 4754
Receiving objects: 100% (4762/4762), 1.69 MiB | 0 bytes/s, done.
Resolving deltas: 100% (2516/2516), done.

To install client, enter:
# cd
# sudo -i
# ./ --install

Sample outputs:

[Sat Jul 29 11:20:29 GMT 2017] Installing to /root/
[Sat Jul 29 11:20:29 GMT 2017] Installed to /root/
[Sat Jul 29 11:20:29 GMT 2017] Installing alias to '/root/.bashrc'
[Sat Jul 29 11:20:29 GMT 2017] OK, Close and reopen your terminal to start using
[Sat Jul 29 11:20:29 GMT 2017] Installing cron job
0   0 * * * "/root/"/ --cron --home "/root/" > /dev/null
[Sat Jul 29 11:20:29 GMT 2017] Good, bash is found, so change the shebang to use bash as preferred.
[Sat Jul 29 11:20:29 GMT 2017] OK

After install, you must close current terminal and reopen again to make the alias take effect. Or simply type the following command:
# source ~/.bashrc
Test it

Step 3 – Create /.well-known/acme-challenge/ directory

Type the following command (set D to actual DocumentRoot path as per your setup):
# D=/var/www/localhost/htdocs
# mkdir -vp ${D}/.well-known/acme-challenge/
###---[ NOTE: Adjust permission as per your setup ]---###
# chown -R nginx:nginx ${D}/.well-known/acme-challenge/
# chmod -R 0555 ${D}/.well-known/acme-challenge/

Step 4 – Generate a global dhparam file

First, you must install libressl:
# apk install libressl
Next, type the following command to create a global dhparam file. Run:
# mkdir -p /etc/nginx/ssl/letsencrypt/
# cd /etc/nginx/ssl/letsencrypt/
# openssl dhparam -dsaparam -out dhparams.pem 4096

Step 4 – Issue a certificate for domain

The syntax is:
# --issue -w $D -d -k 4096

  1. --issue : Issue a new certificate.
  2. -w /DocumentRootPath/ : Specifies the web root folder for web root mode.
  3. -d : Specifies a domain, used to issue, renew or revoke etc. Can be used multiple times.
  4. -k 4096 : Specifies the domain key length.

Step 5 – Configure TLS/SSL on Nginx web server

Edit the following file:
# vi /etc/nginx/conf.d/

server {                                        
    listen 443 http2;
    ssl on;
    ssl_certificate /etc/nginx/ssl/letsencrypt/;
    ssl_certificate_key /etc/nginx/ssl/letsencrypt/;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_dhparam /etc/nginx/ssl/letsencrypt/;
    ssl_prefer_server_ciphers on;
    ## Improves TTFB by using a smaller SSL buffer than the nginx default
    ssl_buffer_size 8k;
    ## Enables OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    ## Send header to tell the browser to prefer https to http traffic
    #add_header Strict-Transport-Security max-age=31536000;
    ## SSL logs ##
    access_log /var/log/nginx/newsletter.cyberciti.biz_ssl_access.log;
    error_log /var/log/nginx/newsletter.cyberciti.biz_ssl_error.log;
    #-------- END SSL config -------##
   root /var/www/localhost/htdocs;
   index         index.html index.htm index.php;
   # configure php
   location ~ \.php$ {
              fastcgi_index     index.php;
              include           fastcgi.conf;
    # rest of your config ##
## END SSL ######

Install the issued certificate to Nginx web server

Type the following command:
# --installcert -d \
--keypath /etc/nginx/ssl/letsencrypt/ \
--fullchainpath /etc/nginx/ssl/letsencrypt/ \
--reloadcmd '/etc/init.d/nginx restart'

Step 6 – Test it

Fire a web browser and type the following url:

A note about cron job

A cron job will try to do renewal a certificate for you too. This is installed by default as follows (no action required on your part):
# crontab -l
Sample job:

0 0 * * * "/root/"/ --cron --home "/root/" > /dev/null

How do I renew a certificate manually?

Type the following command:
# --renew -d

How do I upgrade client?

Type the following command to upgrade client to the latest code from
# --upgrade

[Thu Feb 13 19:39:07 UTC 2020] Installing from online archive.
[Thu Feb 13 19:39:07 UTC 2020] Downloading
[Thu Feb 13 19:39:07 UTC 2020] Extracting master.tar.gz
[Thu Feb 13 19:39:07 UTC 2020] Installing to /root/
[Thu Feb 13 19:39:07 UTC 2020] Installed to /root/
[Thu Feb 13 19:39:07 UTC 2020] Good, bash is found, so change the shebang to use bash as preferred.
[Thu Feb 13 19:39:08 UTC 2020] OK
[Thu Feb 13 19:39:08 UTC 2020] Install success!
[Thu Feb 13 19:39:08 UTC 2020] Upgrade success!
This entry is 4 of 4 in the Installing Linux, Nginx, MySQL/MariaDB, PHP (LEMP stack) in Alpine Linux series. Keep reading the rest of the series:
  1. Install Nginx On Alpine Linux
  2. Install PHP7-fpm On Alpine Linux
  3. How to install and configure logrotate
  4. How to install Letsencrypt free SSL/TLS for Nginx certificate on Alpine Linux

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 1 comment so far... add one

CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
1 comment… add one
  • Sam from IT Sep 4, 2018 @ 7:05

    Thanks. Just set up Nginx as reverse proxy with letsencrypt. It was useful.

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Problem posting comment? Email me @