How to set up Nginx with Let’s Encrypt with ACME on Ubuntu 20.04

In a previous tutorial, we described how to get a free SSL / TLS certificate from Let’s Encrypt using Certbot.

In this tutorial we would like to show you another way how you can easily obtain and renew a free SSL / TLS certificate from Let’s Encrypt by using the acme.sh Script on Ubuntu 04/20.

If you don’t already have a working NGINX web server, here is a simple NGINX installation guide to follow.

Get acme.sh

the acme.sh Shell script automates the issuance and renewal of free Let’s Encrypt certificates. You can get the acme.sh script either by downloading it directly from the web or by cloning the Git project.

Download acme.sh from the Internet

Run either of the following two commands to download and run the acme.sh script.

$ curl https://get.acme.sh | sh

or

$ wget -O -  https://get.acme.sh | sh

Below is an example of what to expect when the script runs.


$ wget -O -  https://get.acme.sh | sh
 --2021-02-16 11:55:47--  https://get.acme.sh/
 Resolving get.acme.sh (get.acme.sh)… 2606:4700:3032::6815:223e, 2606:4700:3031::ac43:c710, 172.67.199.16, …
 Connecting to get.acme.sh (get.acme.sh)|2606:4700:3032::6815:223e|:443… connected.
 HTTP request sent, awaiting response… 200 OK
 Length: unspecified [text/html]
 Saving to: ‘STDOUT’
 [ <=>                ]     937  --.-KB/s    in 0s 
 2021-02-16 11:55:47 (11.8 MB/s) - written to stdout [937]
 % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                  Dload  Upload   Total   Spent    Left  Speed
 100  204k  100  204k    0     0  3350k      0 --:--:-- --:--:-- --:--:-- 3350k
 [Tue 16 Feb 2021 11:55:47 AM UTC] Installing from online archive.
 [Tue 16 Feb 2021 11:55:47 AM UTC] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
 [Tue 16 Feb 2021 11:55:47 AM UTC] Extracting master.tar.gz
 [Tue 16 Feb 2021 11:55:47 AM UTC] It is recommended to install socat first.
 [Tue 16 Feb 2021 11:55:47 AM UTC] We use socat for standalone server if you use standalone mode.
 [Tue 16 Feb 2021 11:55:47 AM UTC] If you don't use standalone mode, just ignore this warning.
 [Tue 16 Feb 2021 11:55:47 AM UTC] Installing to /home/shola/.acme.sh
 [Tue 16 Feb 2021 11:55:47 AM UTC] Installed to /home/shola/.acme.sh/acme.sh
 [Tue 16 Feb 2021 12:05:54 PM UTC] Installing alias to '/home/shola/.bashrc'
 [Tue 16 Feb 2021 12:05:54 PM UTC] OK, Close and reopen your terminal to start using acme.sh
 [Tue 16 Feb 2021 11:55:47 AM UTC] Installing cron job
 47 0 * * * "/home/shola/.acme.sh"/acme.sh --cron --home "/home/shola/.acme.sh" > /dev/null
 [Tue 16 Feb 2021 11:55:47 AM UTC] Good, bash is found, so change the shebang to use bash as preferred.
 [Tue 16 Feb 2021 11:55:48 AM UTC] OK
 [Tue 16 Feb 2021 11:55:48 AM UTC] Install success!

Clone acme.sh Git project

Alternatively, run the following commands per line to clone the acme.sh Git project and run the script.

$ git clone https://github.com/acmesh-official/acme.sh.git
$ cd acme.sh
$ ./acme.sh --install

Whichever method you choose, once you have the “Installation successful!“you can close the terminal window and reopen it to confirm the installation.

Run the next command to view acme.sh usage information.

$ acme.sh -h

You can also run the following command to check the version of acme.sh.

$ acme.sh --version

Create a certificate

Run the following command to generate a single certificate for a single domain.

Substitute yourdomain.com with your registered domain. Replace too /var/www/yourdomain.com with the root folder of your domain’s website.

$ acme.sh --issue -d yourdomain.com -w /var/www/yourdomain.com

For multiple domains / subdomains using the same website root folder, you can run the next command to issue a certificate.

$ acme.sh --issue -d yourdomain.com -d www.yourdomain.com -d subdomain.yourdomain.com -w /var/www/yourdomain.com

The generated certificates are saved in ~ / .acme.sh / yourdomain.com

Install the certificate on NGINX with acme

After generating the certificate via the acme.sh script, the next step is to install it on NGINX. First, create a folder in which the generated certificate will be copied.

$ sudo mkdir -p /etc/nginx/certs/yourdomain.com

Run the next command to install the certificate. Don’t forget to replace yourdomain.com with your registered domain.

$ acme.sh --install-cert -d yourdomain.com --key-file /etc/nginx/certs/yourdomain.com/key.pem --fullchain-file /etc/nginx/certs/yourdomain.com/cert.pem --reloadcmd "service nginx force-reload"

Update NGINX server block file

The final step is to update the server block file for your domain to include the SSL-related instructions.
Run the following command to edit the server block file.

$ sudo nano /etc/nginx/sites-available/yourdomain.com

Next, add the following lines.

listen [::]:443 ssl ipv6only=on;
listen 443 ssl;
ssl_certificate /etc/nginx/certs/cloudindevs.com/cert.pem;
ssl_certificate_key /etc/nginx/certs/cloudindevs.com/key.pem;

After the additions, your server block file should look like the image below. The new additions are marked in red. Also note that the list directives for port 80 have been commented out.


Update the NGINX server block file to use SSL
Update the NGINX server block file to use SSL

Save your changes and close the file.

Restart NGINX with:

$ sudo systemctl restart nginx

Visit your website in a browser to confirm that secure communications are now enabled.

Certificate renewal

The certificates issued by Let’s Encrypt are automatically renewed every 60 days.

You can also renew the certificate manually if you want. Run the following command.

$ acme.sh --renew -d yourdomain.com --force

Do the following to stop the certificate renewal.

$ acme.sh --remove -d yourdomain.com

Update acme.sh

It is recommended that you always use the latest version of acme.sh. Run the following command to ensure that acme.sh is updated automatically.

$ acme.sh --upgrade --auto-upgrade

Run the next command to turn off auto upgrade for acme.sh.

$ acme.sh --upgrade --auto-upgrade 0

If you don’t want acme.sh to be updated automatically, use the following command to update it manually.

$ acme.sh --upgrade

diploma

In this guide, we have described the steps to get and renew free SSL / TLS certificates from Let’s Encrypt by using the acme.sh shell script on Ubuntu. This method is an alternative to using the Certbot tool. We’d love to hear about your experience with these tools.