How to Setup Nginx with Let's Encrypt using ACME on Ubuntu 20.04

In a previous tutorial, we described how to obtain a free SSL/TLS certificate from Let's Encrypt by using Certbot.

In this tutorial, we would like to show you another way that you can easily obtain and renew a free SSL/TLS certificate from Let's Encrypt by using the acme.sh script on Ubuntu 20.04.

If you do not yet have a working NGINX web server, here is an easy NGINX installation guide that you can follow.

Get acme.sh

The acme.sh shell script automates the issuance and renewal of free certificates from Let's Encrypt. You can get the acme.sh script either by downloading it directly from the web or by cloning its git project.

Download acme.sh from the web

Run any of the two commands below to download and execute the acme.sh script.

$ curl https://get.acme.sh | sh

Or

$ wget -O -  https://get.acme.sh | sh

Below is an example of what you can expect when the script executes.

$ wget -O -  https://get.acme.sh | sh
 --2021-02-16 11:55:47--  https://get.acme.sh/
 Resolving get.acme.sh (get.acme.sh)… 2606:4700:3032::6815:223e, 2606:4700:3031::ac43:c710, 172.67.199.16, …
 Connecting to get.acme.sh (get.acme.sh)|2606:4700:3032::6815:223e|:443… connected.
 HTTP request sent, awaiting response… 200 OK
 Length: unspecified [text/html]
 Saving to: ‘STDOUT’
 [ <=>                ]     937  --.-KB/s    in 0s 
 2021-02-16 11:55:47 (11.8 MB/s) - written to stdout [937]
 % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                  Dload  Upload   Total   Spent    Left  Speed
 100  204k  100  204k    0     0  3350k      0 --:--:-- --:--:-- --:--:-- 3350k
 [Tue 16 Feb 2021 11:55:47 AM UTC] Installing from online archive.
 [Tue 16 Feb 2021 11:55:47 AM UTC] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
 [Tue 16 Feb 2021 11:55:47 AM UTC] Extracting master.tar.gz
 [Tue 16 Feb 2021 11:55:47 AM UTC] It is recommended to install socat first.
 [Tue 16 Feb 2021 11:55:47 AM UTC] We use socat for standalone server if you use standalone mode.
 [Tue 16 Feb 2021 11:55:47 AM UTC] If you don't use standalone mode, just ignore this warning.
 [Tue 16 Feb 2021 11:55:47 AM UTC] Installing to /home/shola/.acme.sh
 [Tue 16 Feb 2021 11:55:47 AM UTC] Installed to /home/shola/.acme.sh/acme.sh
 [Tue 16 Feb 2021 12:05:54 PM UTC] Installing alias to '/home/shola/.bashrc'
 [Tue 16 Feb 2021 12:05:54 PM UTC] OK, Close and reopen your terminal to start using acme.sh
 [Tue 16 Feb 2021 11:55:47 AM UTC] Installing cron job
 47 0 * * * "/home/shola/.acme.sh"/acme.sh --cron --home "/home/shola/.acme.sh" > /dev/null
 [Tue 16 Feb 2021 11:55:47 AM UTC] Good, bash is found, so change the shebang to use bash as preferred.
 [Tue 16 Feb 2021 11:55:48 AM UTC] OK
 [Tue 16 Feb 2021 11:55:48 AM UTC] Install success!

Clone acme.sh git project

Alternatively, run the commands below one per line, to clone the acme.sh git project and execute the script.

$ git clone https://github.com/acmesh-official/acme.sh.git
$ cd acme.sh
$ ./acme.sh --install

Whichever method you choose to use, once you see the "Install success!" message, you may close the terminal window and open it again to validate the installation.

To see acme.sh usage information, run the next command.

$ acme.sh -h

You may also run the command below to check the acme.sh version.

$ acme.sh --version

Generate a Certificate

To generate a single certificate for a single domain, run the command below.

Replace yourdomain.com with your registered domain. Also, replace /var/www/yourdomain.com with your domain's website root folder as appropriate.

$ acme.sh --issue -d yourdomain.com -w /var/www/yourdomain.com

For multiple domains/sub-domains that share the same website root folder, you can run the next command to issue a certificate.

$ acme.sh --issue -d yourdomain.com -d www.yourdomain.com -d subdomain.yourdomain.com -w /var/www/yourdomain.com

The generated certificates will be stored in ~/.acme.sh/yourdomain.com

Install Certificate on NGINX using acme

After generating the certificate through the acme.sh script, the next step is to install it on NGINX. First, create a folder where the generated certificate will be copied to.

$ sudo mkdir -p /etc/nginx/certs/yourdomain.com

Run the next command to install the certificate. Do not forget to replace yourdomain.com with your registered domain.

$ acme.sh --install-cert -d yourdomain.com --key-file /etc/nginx/certs/yourdomain.com/key.pem --fullchain-file /etc/nginx/certs/yourdomain.com/cert.pem --reloadcmd "service nginx force-reload"

Update NGINX Server Block File

The final step is to update the server block file for your domain to include the SSL related directives.
Run the command below to edit the server block file.

$ sudo nano /etc/nginx/sites-available/yourdomain.com

Next, add the following lines.

listen [::]:443 ssl ipv6only=on;
listen 443 ssl;
ssl_certificate /etc/nginx/certs/cloudindevs.com/cert.pem;
ssl_certificate_key /etc/nginx/certs/cloudindevs.com/key.pem;

After the additions, your server block file should look like what you see in the image below. The new additions are highlighted in red. Also, notice that the listen directives for port 80 have been commented out.

Update NGINX server block file to use SSL
Update NGINX server block file to use SSL

Save changes and close the file.

Restart NGINX with:

$ sudo systemctl restart nginx

Visit your website in a browser to confirm that secure communication is now enabled.

Certificate Renewal

The certificates issued by Let's Encrypt will automatically renew every 60 days.

But you could also manually renew the certificate if you would like to. Run the command below.

$ acme.sh --renew -d yourdomain.com --force

To stop certificate renewal, run the following.

$ acme.sh --remove -d yourdomain.com

Upgrade acme.sh

It is recommended to always use the latest version of acme.sh. Run the command below to ensure that acme.sh is updated automatically.

$ acme.sh --upgrade --auto-upgrade

To disable automatic upgrade for acme.sh, run the next command.

$ acme.sh --upgrade --auto-upgrade 0

If you would not like acme.sh to be automatically upgraded, then use the command below to manually update it.

$ acme.sh --upgrade

Conclusion

In this guide, we described the steps to obtain and renew free SSL/TLS certificates from Let's Encrypt by using the acme.sh shell script on Ubuntu. This method is an alternative to using the Certbot tool. We would like to hear about your experience using these tools.

Leave a Comment