How to secure Nginx with Let’s Encrypt on OpenSUSE 15.1/15.2

Let’s Encrypt is a free, automated, and open certificate authority for your website, email server, database server and more. This page shows how to use Let’s Encrypt to install TLS certificate for Nginx web server and get SSL labs/security headers A+ score on an OpenSUSE Linux version 15.1/15.2.

Tutorial requirements
Operating system/appOpenSUSE Linux 15.1/15.2 with Nginx
Root privileges required Yes
Difficulty Intermediate (rss)
Estimated completion time 20m
Table of contents

How to secure Nginx with Let’s Encrypt on OpenSUSE Linux

The procedure is as follows to obtaining an SSL/TLS certificate:

  1. Get client, run:
    git clone
  2. Create nginx config for your domain:
    vi /etc/nginx/vhosts.d/your-domain-name.conf
  3. Obtain an SSL certificate your domain: –issue -d your-domain-name –nginx
  4. Configure TLS on Nginx:
    vi /etc/nginx/conf.d/your-domain-name.conf
  5. Setup cron job for auto renewal TLS certificates
  6. Open port 443 (HTTPS) using firewalld :
    sudo firewall-cmd –add-service=https

Let us see all steps in details.

Step 1 – Install the required software (prerequisites)

Open the terminal and then type the following commands. Make sure you update OpenSUSE Linux software and kernel using CLI as follows:
$ sudo zypper ref
$ sudo zypper up

Our client need curl, wc and other packages. Hence, we must install required software using the zypper command:
$ sudo zypper install wget curl bc git socat cronie

Install Nginx on an OpenSUSE Linux

Again use the zypper:
$ sudo zypper install nginx
$ sudo systemctl enable nginx.service

Created symlink /etc/systemd/system/ → /usr/lib/systemd/system/nginx.service.

Start the Nginx server and verify it using the systemctl command:
$ sudo systemctl start nginx.service
$ sudo systemctl status nginx.service

 nginx.service - The nginx HTTP and reverse proxy server
   Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2020-07-06 18:49:32 UTC; 2min 4s ago
 Main PID: 13990 (nginx)
    Tasks: 2
   CGroup: /system.slice/nginx.service
           ├─13990 nginx: master process /usr/sbin/nginx -g daemon off;
           └─13991 nginx: worker process

Jul 06 18:49:32 opensuse-nixcraft-42 systemd[1]: Starting The nginx HTTP and reverse proxy server...
Jul 06 18:49:32 opensuse-nixcraft-42 nginx[13989]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
Jul 06 18:49:32 opensuse-nixcraft-42 nginx[13989]: nginx: configuration file /etc/nginx/nginx.conf test is successful
Jul 06 18:49:32 opensuse-nixcraft-42 systemd[1]: Started The nginx HTTP and reverse proxy server.

Finally open HTTP port 80 using firewllad on OpenSUSE Linux
$ sudo firewall-cmd --zone=public --add-service=http
$ sudo firewall-cmd --zone=public --add-service=http --permanent
$ sudo firewall-cmd --list-services

ssh dhcpv6-client http

Step 2 – Installing Let’s Encrypt client

We must clone the repo:
$ cd /tmp/
$ git clone

Install the client but first log in as root user using the su command/sudo command:
$ sudo -i
# touch /root/.bashrc
# cd /tmp/
# --install --accountemail your-email-id@domain-here

Step 3 – Basic Nginx configuration for http server on OpenSUSE

I am going to create a new config for domain named (feel free to replace with your actual domain name) as follows:
# vi /etc/nginx/vhosts.d/
Append the following directives:

# http port 80 config
server {
    listen      80 default_server; # IPv4
    listen [::]:80 default_server; # IPv6
    server_name; # domain name 
    access_log  /var/log/nginx/http_opensuse.cyberciti.biz_access.log;
    error_log   /var/log/nginx/http_opensuse.cyberciti.biz_error.log;
    root        /srv/www/htdocs;

Save and close the file. Test nginx set up and reload the nginx server as follows:
# nginx -t && systemctl restart nginx.service

Step 4 – Create dhparam.pem file

We need to create a Diffie-Hellman key exchange file as follows using the openssl command:
# mkdir -pv /etc/nginx/ssl/
# cd /etc/nginx/ssl/
# openssl dhparam -out dhparams.pem -dsaparam 4096
# ls -l

Step 5 – Obtain a certificate for domain

We can issue a certificate using the Nginx server as configured in step 3. However, if your server is behind reverse proxy CDN such as Cloudflare, use the standalone mode as described below.

Issue a certificate using pre-configured Nginx

# DOM=""
# D="/srv/www/htdocs"
# mkdir -pv ${D}/.well-known/acme-challenge/
# --webroot "${D}" --issue -d "$DOM" --ocsp-must-staple --keylength 4096
## GET ecc cert too. Only ec-384 or ec-256 ##
# --webroot "${D}" --issue -d "$DOM" --ocsp-must-staple --keylength ec-384

Issue a certificate in standalone mode

# DOM=""
# --issue --standalone -d "$DOM" --ocsp-must-staple --keylength 4096
## GET ecc cert too. Only ec-384 or ec-256 ##
# --issue --standalone -d "$DOM" --ocsp-must-staple --keylength ec-384


  • --webroot /srv/www/htdocs : Specifies the web root folder for web root mode. You must create /.well-known/acme-challenge/ in the root.
  • --issue : Issue a certificate.
  • -d domain-name : Specifies a domain, used to issue, renew or revoke. We can use it multiple times. For example: --issue -d -d --ocsp-must-staple --keylength 4096
  • --ocsp-must-staple : Generate ocsp must Staple extension
  • --keylength 4096 : Specifies the domain key length: 2048, 3072, 4096, 8192 or ec-256, ec-384, ec-521.
  • --keylength ec-256 : Elliptic-curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. ECC allows smaller keys compared to non-EC cryptography (based on plain Galois fields) to provide equivalent security.

Step 6 – Configure Nginx on an OpenSUSE Linux server

Edit the config file:
# vi /etc/nginx/vhosts.d/
Update as follows:

# http port 80 config
server {
    listen      80 default_server; # IPv4
    listen [::]:80 default_server; # IPv6
    access_log  off;
    error_log   off;
    root        /srv/www/htdocs;
    return 301 https://$host$request_uri;
# https port 443 config
server {
    listen 443 ssl http2;                # IPv4
    listen [::]:443 ssl http2;           # HTTP/2 TLS IPv6
    server_name;  # domain name 
    # Set document root 
    location / {
            root   /srv/www/htdocs;
            index  index.html index.htm;
    # Set access and error log for this vhos
    access_log /var/log/nginx/https.opensuse.cyberciti.biz_access.log;
    error_log  /var/log/nginx/https.opensuse.cyberciti.biz_error.log;
    ssl_certificate /etc/nginx/ssl/;
    ssl_certificate_key /etc/nginx/ssl/;
    # ECC certificates 
    ssl_certificate /etc/nginx/ssl/;
    ssl_certificate_key /etc/nginx/ssl/;
    ssl_dhparam  /etc/nginx/ssl/;
    # A little bit of optimization  
    ssl_session_timeout 1d;
    ssl_session_cache shared:NixCraftSSL:10m;  # about 40000 sessions
    ssl_session_tickets off;
    # TLS version 1.2 and 1.3 only
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers off;
    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Xss-Protection "1; mode=block" always;
    add_header Referrer-Policy  strict-origin-when-cross-origin always;
    add_header Feature-policy "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'" always;
    # WARNING: The HTTP Content-Security-Policy response header allows sysadmin/developers  
    # to control resources the user agent is allowed to load for a given page. 
    # Wrong config can create problems for third party scripts/ad networks. Hence read the following url: 
    add_header content-security-policy "default-src" always;
    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    # Verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /etc/nginx/ssl/;
    # Replace with the IP address of your resolver

Sample index.html

Create a new file as follows:
# vi /srv/www/htdocs/index.html
Append the following code:

<!doctype html>
<html lang="en">
<title>OpenSUSE.Cyberciti.Biz Nginx server</title>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<h2>Hello, World!</h2>
<p>This is a test server powerd by OpenSUSE Linux 15.2 and Nginx with free TLS certficate.</p>
Email us <a href=""></a>.

Step 7 – Installing Let’s Encrypt TLS certificate on OpenSUSE 15.1/15.2

Install the issued cert to nginx server and reload the server:
# DOM=""
# -d "$DOM" \
--install-cert \
--reloadcmd "systemctl reload nginx" \
--fullchain-file "/etc/nginx/ssl/$DOM.fullchain.cer" \
--key-file "/etc/nginx/ssl/$DOM.key" \
--cert-file "/etc/nginx/ssl/$DOM.cer"

Install the ECC certificate too:
# -d "$DOM" \
--ecc \
--install-cert \
--reloadcmd "systemctl reload nginx" \
--fullchain-file "/etc/nginx/ssl/$DOM.fullchain.cer.ecc" \
--key-file "/etc/nginx/ssl/$DOM.key.ecc" \
--cert-file "/etc/nginx/ssl/$DOM.cer.ecc"

Step 8 – Open TCP port 443 [HTTPS port]

It time to open HTTPS TCP port 443 using firewllad on OpenSUSE Linux as follows:
# firewall-cmd --zone=public --add-service=https
# firewall-cmd --zone=public --add-service=https --permanent
# firewall-cmd --list-services
# curl -I

Step 9 – Test it

SSL labs test:

Security headers test:

Fire a web browser and type your domain such as:

Step 10 – Essential commands

We can list all certificates, run:
# --list

Main_Domain             KeyLength  SAN_Domains  Created                       Renew  "4096"     no           Mon Jul  6 19:07:07 UTC 2020  Fri Sep  4 19:07:07 UTC 2020  "ec-384"   no           Mon Jul  6 19:11:54 UTC 2020  Fri Sep  4 19:11:54 UTC 2020

Renew a cert for domain named
# --renew -d
# --force --renew -d -d

Please note that a cron job will try to do renewal a certificate for you too. This is installed by default as follows (no action required on your part). To see cron job run:
# crontab -l

28 0 * * * "/root/"/ --cron --home "/root/" > /dev/null

Want to upgrade client, execute:
# --upgrade
Getting help is easy:
# --help | more


We explain how to install and set up Let’s Encrypt TLS/SSL certificate on your OpenSUSE Linux 15.1/15.2 nginx based server with OCSP Stapling and ECC certificates. See project home page here for more information.

This entry is 2 of 3 in the OpenSUSE Linux LEMP Stack Tutorial series. Keep reading the rest of the series:
  1. Install and use Nginx on OpenSUSE Linux
  2. Secure Nginx with Let's Encrypt on OpenSUSE Linux
  3. Install PHP on OpenSUSE Linux 15.2/15.1

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 1 comment so far... add one

CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
1 comment… add one
  • Esha Jul 18, 2020 @ 4:15

    Awesome and worked like a charm.

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Problem posting comment? Email me @