Install acme.sh
wget -O - https://get.acme.sh | sh
source ~/.bashrc
Issue a certificate
Method 1 : use the same folder to validate all acme challenges
At first create a new file acme.conf in the folder /etc/nginx/common/ with the following content :
location /.well-known/acme-challenge/ {
alias /var/www/html/.well-known/acme-challenge/;
}
Then set www-data as owner of the folder /var/www/html :
chown -R www-data:www-data /var/www/html
The last step is to include acme.conf in your nginx vhost, by adding the following line :
include common/acme.conf;Reload nginx with the command service nginx reload and you can now issue your first cert with acme.sh :
# domain
acme.sh --issue -d example.com -w /var/www/html
# domain + www
acme.sh --issue -d example.com -d www.example.com -w /var/www/html
# SAN mode
acme.sh --issue -d example.com -d www.example.com -d dev.example.com -w /var/www/html
# ECDSA Certificates (384 Bits)
acme.sh --issue -d yourdomain.tld -d www.yourdomain.tld -d blog.yourdomain.tld --keylength ec-384 -w /var/www/htmlMethod 2 : use Cloudflare DNS API
configure your api keys
export CF_Key="sdfsdfsdfljlbjkljlkjsdfoiwje"
export CF_Email="hi@acme.sh"
# domain
acme.sh --issue -d example.com --dns dns_cf
# domain + www
acme.sh --issue -d example.com --dns dns_cf -d www.example.com
# SAN mode
acme.sh --issue -d example.com --dns dns_cf -d www.example.com -d dev.example.com
# ECDSA Certificates (384 Bits)
acme.sh --issue -d yourdomain.tld -d www.yourdomain.tld -d blog.yourdomain.tld --keylength ec-384 --dns dns_cfInstall your SSL certificate in Nginx
DO NOT use the certs files in ~/.acme.sh/ folder, they are for internal use only, the folder structure may change in the future
Create a folder to store your certs in production
mkdir -p /etc/nginx/acme.sh/yourdomain.tldThen use the command –install-cert to copy your certs with acme.sh :
# for RSA certs
acme.sh --install-cert -d yourdomain.tld \
--cert-file /etc/nginx/acme.sh/yourdomain.tld/cert.pem \
--key-file /etc/nginx/acme.sh/yourdomain.tld/key.pem \
--fullchain-file /etc/nginx/acme.sh/yourdomain.tld/fullchain.pem \
--reloadcmd "systemctl reload nginx.service"
# for ECDSA certs
acme.sh --install-cert -d yourdomain.tld --ecc \
--cert-file /etc/nginx/acme.sh/yourdomain.tld/cert.pem \
--key-file /etc/nginx/acme.sh/yourdomain.tld/key.pem \
--fullchain-file /etc/nginx/acme.sh/yourdomain.tld/fullchain.pem \
--reloadcmd "systemctl reload nginx.service"Then you just have to add the certificates in your nginx configuration.
Create two files, the first one to add your SSL certificate with the following content :
# /var/www/yourdomain.tld/conf/nginx/ssl.conf
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl on;
ssl_certificate /etc/nginx/acme.sh/yourdomain.tld/fullchain.pem;
ssl_certificate_key /etc/nginx/acme.sh/yourdomain.tld/key.pem;
ssl_trusted_certificate /etc/nginx/acme.sh/yourdomain.tld/cert.pem;And the another one for the redirection from http to https :
# /etc/nginx/conf.d/forcessl-yourdomain-tld.conf
server {
listen 80;
listen [::]:80;
server_name www.yourdomain.tld yourdomain.tld;
return 301 https://yourdomain.tld$request_uri;
}Certificates Renewal
All the certs will be renewed automatically every 60 days. But you can also force renewal using the following commands :
# RSA certs
acme.sh --renew -d example.com --force
# ECDSA certs
acme.sh --renew -d example.com --force --ecc