How to Setup Nginx with Let’s Encrypt using ACME on Ubuntu 20.04

In a previous tutorial, we described how to obtain a free SSL/TLS certificate from Let’s Encrypt by using Certbot.

In this tutorial, we would like to show you another way that you can easily obtain and renew a free SSL/TLS certificate from Let’s Encrypt by using the acme.sh script on Ubuntu 20.04.

If you do not yet have a working NGINX web server, here is an easy NGINX installation guide that you can follow.

Get acme.sh

The acme.sh shell script automates the issuance and renewal of free certificates from Let’s Encrypt. You can get the acme.sh script either by downloading it directly from the web or by cloning its git project.

Download acme.sh from the web

Run any of the two commands below to download and execute the acme.sh script.

$ curl https://get.acme.sh | sh

Or

$ wget -O -  https://get.acme.sh | sh

Below is an example of what you can expect when the script executes.

$ wget -O -  https://get.acme.sh | sh
 --2021-02-16 11:55:47--  https://get.acme.sh/
 Resolving get.acme.sh (get.acme.sh)… 2606:4700:3032::6815:223e, 2606:4700:3031::ac43:c710, 172.67.199.16, …
 Connecting to get.acme.sh (get.acme.sh)|2606:4700:3032::6815:223e|:443… connected.
 HTTP request sent, awaiting response… 200 OK
 Length: unspecified [text/html]
 Saving to: ‘STDOUT’
 [ <=>                ]     937  --.-KB/s    in 0s 
 2021-02-16 11:55:47 (11.8 MB/s) - written to stdout [937]
 % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                  Dload  Upload   Total   Spent    Left  Speed
 100  204k  100  204k    0     0  3350k      0 --:--:-- --:--:-- --:--:-- 3350k
 [Tue 16 Feb 2021 11:55:47 AM UTC] Installing from online archive.
 [Tue 16 Feb 2021 11:55:47 AM UTC] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
 [Tue 16 Feb 2021 11:55:47 AM UTC] Extracting master.tar.gz
 [Tue 16 Feb 2021 11:55:47 AM UTC] It is recommended to install socat first.
 [Tue 16 Feb 2021 11:55:47 AM UTC] We use socat for standalone server if you use standalone mode.
 [Tue 16 Feb 2021 11:55:47 AM UTC] If you don't use standalone mode, just ignore this warning.
 [Tue 16 Feb 2021 11:55:47 AM UTC] Installing to /home/shola/.acme.sh
 [Tue 16 Feb 2021 11:55:47 AM UTC] Installed to /home/shola/.acme.sh/acme.sh
 [Tue 16 Feb 2021 12:05:54 PM UTC] Installing alias to '/home/shola/.bashrc'
 [Tue 16 Feb 2021 12:05:54 PM UTC] OK, Close and reopen your terminal to start using acme.sh
 [Tue 16 Feb 2021 11:55:47 AM UTC] Installing cron job
 47 0 * * * "/home/shola/.acme.sh"/acme.sh --cron --home "/home/shola/.acme.sh" > /dev/null
 [Tue 16 Feb 2021 11:55:47 AM UTC] Good, bash is found, so change the shebang to use bash as preferred.
 [Tue 16 Feb 2021 11:55:48 AM UTC] OK
 [Tue 16 Feb 2021 11:55:48 AM UTC] Install success!

Clone acme.sh git project

Alternatively, run the commands below one per line, to clone the acme.sh git project and execute the script.

$ git clone https://github.com/acmesh-official/acme.sh.git
$ cd acme.sh
$ ./acme.sh --install

Whichever method you choose to use, once you see the “Install success!” message, you may close the terminal window and open it again to validate the installation.

To see acme.sh usage information, run the next command.

$ acme.sh -h

You may also run the command below to check the acme.sh version.

$ acme.sh --version

Generate a Certificate

To generate a single certificate for a single domain, run the command below.

Replace yourdomain.com with your registered domain. Also, replace /var/www/yourdomain.com with your domain’s website root folder as appropriate.

$ acme.sh --issue -d yourdomain.com -w /var/www/yourdomain.com

For multiple domains/sub-domains that share the same website root folder, you can run the next command to issue a certificate.

$ acme.sh --issue -d yourdomain.com -d www.yourdomain.com -d test.yourdomain.com -w /var/www/yourdomain.com

Install Certificate on NGINX using acme

After generating the certificate, run the next command to install it on NGINX.

$ acme.sh --install-cert -d yourdomain.com --key-file /path/to/keyfile/in/nginx/key.pem --fullchain-file /path/to/fullchain/nginx/cert.pem --reloadcmd "service nginx force-reload"

All parameters are optional except for the domain. You would need to replace yourdomain.com with your registered domain.

Certificate Renewal

The certificates will be stored in ~/.acme.sh/yourdomain.com and will automatically renew every 60 days.

But you could also manually renew the certificate if you would like to. Run the command below.

$ acme.sh --renew -d yourdomain.com --force

To stop certificate renewal, run the following.

$ acme.sh --remove -d yourdomain.com

Upgrade acme.sh

It is recommended to always use the latest version of acme.sh. Run the command below to ensure that acme.sh is updated automatically.

$ acme.sh --upgrade --auto-upgrade

To disable automatic upgrade for acme.sh, run the next command.

$ acme.sh --upgrade --auto-upgrade 0

If you would not like acme.sh to be automatically upgraded, then use the command below to manually update it.

$ acme.sh --upgrade

Conclusion

In this guide, we described the steps to obtain and renew free SSL/TLS certificates from Let’s Encrypt by using the acme.sh shell script on Ubuntu. This method is an alternative to using the Certbot tool. We would like to hear about your experience using these tools.

#Setup #Nginx #Lets #Encrypt #ACME #Ubuntu

Like this post? Please share to your friends:
Leave a Reply

;-) :| :x :twisted: :smile: :shock: :sad: :roll: :razz: :oops: :o :mrgreen: :lol: :idea: :grin: :evil: :cry: :cool: :arrow: :???: :?: :!: