Nginx automatically applies for/renews SSL certificates in combination with acme.sh (let's encrypt)
![Nginx automatically applies for/renews SSL certificates in combination with acme.sh (let's encrypt) Nginx automatically applies for/renews SSL certificates in combination with acme.sh (let's encrypt)](http://up-free-imgs.azimiao.com/wp-content/uploads/2020/05/earth-net.jpg)
preparation
1. Install acme.sh
curl https://get.acme.sh | sh
alias acme.sh=~/.acme.sh/acme.sh
2. Install Nginx
sudo apt install nginx
sudo service nginx stop
Apply for certificate
1. Only apply for and automatically update the certificate, not as a web service
acme.sh --issue -d azimiao.com --standalone
~/.acme.sh/azimiao.com/file
2. Apply for and automatically update ssl certificates for Nginx configuration
server { listen 80; server_name azimiao.com; root /somedir/somedir2; index index.html index.htm; access_log /dev/somdir; error_log /var/log/nginx/somdir warn; error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } location ~ /\.ht { deny all; } location / { index index.html; } }
acme.sh --issue -d azimiao.com --nginx #Read only one configuration file: # acme.sh --issue -d example.com --nginx /etc/nginx/conf.d/example.com.conf
acme.sh --install-cert -d azimiao.com \ --key-file /path/to/keyfile/in/nginx/azimiao.com.key \ --fullchain-file /path/to/fullchain/nginx/azimiao.com.cert \ --reloadcmd "service nginx force-reload"
server { listen 443 ssl http2; server_name azimiao.com; root /somedir/somedir2; index index.html index.htm; access_log /dev/somdir; error_log /var/log/nginx/somdir warn; ssl_certificate /path/to/fullchain/nginx/azimiao.com.cert; ssl_certificate_key /path/to/keyfile/in/nginx/azimiao.com.key; ssl_prefer_server_ciphers on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA ! aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"; add_header Strict-Transport-Security max-age=31536000; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } location / { index index.html; } }
#Restart sudo service nginx restart #Overload configuration # sudo service nginx force-reload
verification
crontab -l
4 0 * * * "/home/username/.acme.sh"/acme.sh --cron --home "/home/username/.acme.sh" > /dev/null
Stop automatic renewal
#List the domain names that will automatically update the certificate: acme.sh --list #Remove the corresponding domain name: acme.sh --remove -d azimiao.com
crontab -e