Support Service / Guides / Server

Automate Let's Encrypt on a Cloud Server with acme.sh

Testez-le maintenant pour 1 euro seulement !
Vous avez de grands projets d’hébergement avec beaucoup de ressources ? Avec le CloudServer (VPS) de hosting.fr, ce n’est pas un problème. Grâce à notre vaste gamme d’outils d’hébergement, vous bénéficiez d’une liberté absolue. Bien entendu, vous pouvez choisir librement le système d’exploitation en appuyant sur un bouton.
Réserver un serveur cloud maintenant

The Let’s Encrypt certification authority offers the possibility to obtain TLS/SSL certificates for free and automatically for servers. One disadvantage of Let’s Encrypt is the relatively short validity period of the certificates. This disadvantage can be compensated by using software that automatically renews the certificates on the server. An appropriate software for this is acme.sh. In this article, we show, as an example, how to configure acme.sh on a ###COMPANY-NAME### Cloud server in combination with Apache or Nginx as a web server. acme.sh works with standard Linux system tools and is essentially a Shell script. As an alternative to acme.sh, there is “certbot”, which requires Python but offers more comfort. In this separate article the installation of certbot is described.

Prerequisites

  • You have a hosting.fr Cloud server with a valid DNS entry, for example mustermann-domain.de.

  • The server’s operating system is a recent version of Debian or Ubuntu.

Installing Apache or Nginx

In this guide, you can use either Apache or Nginx as the web server. If you need to use Apache, please install it with the following commands, if not already done:

apt update
apt install apache2

For Nginx, replace the apache2 package with the nginx package.

For the server to be accessible from the Internet, ports 80 and 443 must be open in the firewall.

Installing acme.sh

The acme.sh script can be installed with the following command:

curl https://get.acme.sh | sh

This requires root rights if you want to use the other commands proposed in this guide. After executing the command, please restart your current shell. If you use bash, type bash. If you use zsh, type zsh. Then, the acme.sh command will be available in your default shell.

An Example Configuration for Apache

To request a certificate, the following command can be used in Apache mode:

acme.sh --issue --apache -d mustermann-domain.de

The -d parameter specifies the domain name for which you want to request a certificate. It is also possible to specify multiple domains with multiple -d parameters. The received certificates will be deposited in the current user’s home directory under ~/.acme.sh/ in a subdirectory dedicated to the respective domain.

A directory must be created where the certificates for Apache will be stored, for example:

mkdir /etc/apache2/ssl/

Then, you can install the certificates in the new directory with acme.sh:

acme.sh --install-cert -d mustermann-domain.de \
--cert-file /etc/apache2/ssl/mustermann-domain.de-cert.pem \
--key-file /etc/apache2/ssl/mustermann-domain.de-key.pem \
--fullchain-file /etc/apache2/ssl/letsencrypt.pem \
--reloadcmd "systemctl reload apache2"

Then, the Apache web server configuration must be modified to use the certificates. To do this, please remove all files and symbolic links in the /etc/apache2/sites-enabled/ directory for a fresh Debian installation:

rm /etc/apache2/sites-enabled/*

You can then create the file /etc/apache/sites-available/mustermann.conf with the following content:

# this configuration requires mod_ssl, mod_socache_shmcb, mod_rewrite, and mod_headers
<VirtualHost *:80>
    RewriteEngine On
    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>

<VirtualHost *:443>
    SSLEngine on

    SSLCertificateFile      /etc/apache2/ssl/mustermann-domain.de-cert.pem
    SSLCertificateKeyFile   /etc/apache2/ssl/mustermann-domain.de-key.pem
    SSLCertificateChainFile /etc/apache2/ssl/letsencrypt.pem

    # enable HTTP/2, if available
    Protocols h2 http/1.1

    # HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
    Header always set Strict-Transport-Security "max-age=63072000"
</VirtualHost>

# intermediate configuration, adjust as needed
SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder     off
SSLSessionTickets       off

SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

For this configuration, the headers module in Apache is required. It can be enabled with the command

a2enmod ssl socache_shmcb rewrite headers

The new configuration must be enabled in Apache with the following command:

a2ensite mustermann

An Example Configuration for nginx

To request a certificate using the nginx web server, you can use the following command, similar to Apache:

acme.sh --issue --nginx -d mustermann-domain.de

A directory must be created where the certificates for Nginx will be stored, for example:

mkdir /etc/nginx/ssl/

Then, you can install the certificates in the new directory with acme.sh:

acme.sh --install-cert -d mustermann-domain.de \
--cert-file /etc/nginx/ssl/mustermann-domain.de-cert.pem \
--key-file /etc/nginx/ssl/mustermann-domain.de-key.pem \
--fullchain-file /etc/nginx/ssl/letsencrypt.pem \
--reloadcmd "systemctl reload nginx"

Then, the nginx configuration must be adjusted to use the requested certificates. To do this, please remove all files and symbolic links in /etc/nginx/sites-enabled for a fresh Debian installation:

rm /etc/nginx/sites-enabled/*

Then create the file /etc/nginx/sites-available/mustermann.conf. A simple version might look like this:

server {

        listen 80 default_server;
        listen [::]:80 default_server;

        root /var/www/html;

        return 301 https://$host$request_uri;

}

server {

        listen                  443 ssl http2;
        listen                  [::]:443 ssl http2;

        root                    /var/www/html;

        ssl_certificate         /etc/apache2/ssl/letsencrypt.pem;
        ssl_certificate_key     /etc/nginx/ssl/mustermann-domain.de-key.pem;

        ssl_session_timeout 1d;
        ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
        ssl_session_tickets off;

        ssl_protocols           TLSv1.2 TLSv1.3;
        ssl_ciphers             ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
        ssl_prefer_server_ciphers off;

        add_header              Strict-Transport-Security "max-age=63072000; includeSubdomains;";

        ssl_stapling on;
        ssl_stapling_verify on;

}

Then create a symbolic link to the configuration file in the /etc/nginx/sites-enabled directory:

cd /etc/nginx/sites-enabled/
ln -s ../sites-available/mustermann.conf

Finally, restart nginx to activate the configuration:

systemctl restart nginx.service

Test

To test the certificates configured in the web servers, you can use the Qualys SSL Labs test. A score of “A+” should be achieved.

Let’s Encrypt certificates are valid for 90 days. The certificates will be automatically renewed by acme.sh every 60 days. We recommend checking it at least once every 60 days.

References

Don't hesitate to subscribe to our newsletter



Thank you for subscribing to the hosting.fr newsletter.
SSL Certificates Let's Encrypt acme.sh Apache Nginx