Debian 7: Secure Nginx with acme.sh and LetsEncrypt

I have an old Debian 7.11 box that needs an SSL certificate renewed. I want to replace the existing, manually installed certificate issued by Comodo.

You can check the expiry date with something like:

echo | openssl s_client -connect pikedom.com:443 | openssl x509 -noout -dates

Given the age of the operating system and being EOF, I don’t want to use apt-get as its unlikely to work. Here I will install it manually with the assistance of acme.sh, which has zero dependencies. To install it:

curl https://get.acme.sh | sh

This will:

  1. Create a directory ~/.acme.sh/ where all certs will be stored.
  2. Create an alias for acme.sh=~/.acme.sh/acme.sh
  3. And create a cronjob to check and renew certs.

You can check the cronjob was created with:

[email protected]:~# crontab -l
55 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

As I already have a web server, Nginx, running, I will be using acme.sh in webroot mode. First I need to configure Nginx with a location directive for the LetsEncrypt certificate challenge to use.

[email protected]:~# vim /etc/nginx/snippets/letsencrypt-webroot

Make sure the web root is correct for you:

location /.well-known/acme-challenge/ {
  alias /var/www/prod/.well-known/acme-challenge/;
}

Edit the main configuration file to make Nginx aware of this directive.

[email protected]:~# vim /etc/nginx/sites-available/pikedom.com.conf

Add the web root line:

server {
    # Rewrite to correct server name
    listen 443 ssl default_server;
...
...
    # acme.sh dir
    include snippets/letsencrypt-webroot;
    }
}

Do a quick configuration test for errors:

[email protected]:~# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Restart the Nginx service.

[email protected]:~# service nginx restart
[ ok ] Restarting nginx: nginx.

You will also need to logout from your SSH session and then back in. Otherwise you’ll get a “command not found” error when trying to use acme.sh.

[email protected]:~# exit

Once logged back in, we can issue the certificates. Here I issue one covering two domains:

[email protected]:~# acme.sh --issue -d pikedom.com -d www.pikedom.com --webroot /var/www/prod/

If this was successful, you should see output similar to the following:

[Fri Jul  3 18:58:16 UTC 2020] Cert success.
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
[Fri Jul  3 18:58:16 UTC 2020] Your cert is in  /root/.acme.sh/pikedom.com/pikedom.com.cer 
[Fri Jul  3 18:58:16 UTC 2020] Your cert key is in  /root/.acme.sh/pikedom.com/pikedom.com.key 
[Fri Jul  3 18:58:16 UTC 2020] The intermediate CA cert is in  /root/.acme.sh/pikedom.com/ca.cer 
[Fri Jul  3 18:58:16 UTC 2020] And the full chain certs is there:  /root/.acme.sh/pikedom.com/fullchain.cer

Edit the main configuration file.

[email protected]:~# vim /etc/nginx/sites-available/pikedom.com.conf

And comment out the old entries and enter the following new entries:

server {
    listen 443 ssl;

    # Enable this if using HTTPS
    add_header Strict-Transport-Security "max-age=63072000";

    server_name www.pikedom.com;

    ...

    ## Server certificate and key.
    ssl_certificate /var/www/prod/certs/pikedom.com.fullchain.pem;
    ssl_certificate_key /var/www/prod/certs/pikedom.com.key.pem;

    # disabled old entries:
    #ssl_certificate /etc/ssl/certs/pikedom.com.comodo.fullchain.crt;
    #ssl_certificate_key /etc/ssl/private/pikedom.com.comodo.key;

    ...
}

Check the configuration file for typos:

[email protected]:~# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

And finally restart nginx:

[email protected]:~# service nginx restart
[ ok ] Restarting nginx: nginx.

You can check the new cert with the below command from a Linux workstation.

echo | openssl s_client -connect pikedom.com:443 | openssl x509 -noout -dates

That’s it!  The cert should renew every 60 days.

Be the first to comment

Leave a Reply