Last active
March 4, 2024 15:29
-
-
Save colinmcintosh/016088860d35f01658e545b5ba75ba41 to your computer and use it in GitHub Desktop.
Configure Ubuntu 18.04 for NGINX with LetsEncrypt including auto-renewal using Acme.sh and Cloudflare API Tokens
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sudo apt update | |
sudo apt upgrade -y | |
sudo apt install nginx | |
sudo mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak | |
# Create a folder to store your certs | |
mkdir -p /etc/nginx/ssl | |
# Edit NGINX config for your site | |
# If you need a TLS secured NGINX config look at https://gist.github.com/colinmcintosh/25425fccbde0a5bdc9df1153bd94b665 | |
sudo vim /etc/nginx/nginx.conf | |
# Install acme.sh to in the root account, other users will work too but you'll need to work out permissions for reloading services | |
sudo su - | |
curl https://get.acme.sh | sh | |
# Generate a new token at https://dash.cloudflare.com/profile/api-tokens | |
# Create a custom token with these settings: | |
# Permissions: | |
# Zone - DNS - Edit | |
# Zone Resources: | |
# Include - Specific Zone - <YOUR_ZONE_NAME> | |
# IP Address Filtering: optional | |
# TTL: optional | |
export CF_Token=<YOUR_CF_TOKEN> | |
# Get your Zone ID from the sidebar on the homepage of your Cloudflare Dashboard | |
# Make sure you are using the 32 character alphanumeric ID that looks something like 81501ef88ef9b34f24450b63145d4019 | |
export CF_Zone_ID=<YOUR_ZONE_ID> | |
# Get your certs | |
~/.acme.sh/acme.sh --issue -d <YOUR_DOMAIN> --dns dns_cf --server letsencrypt | |
# Install your certs | |
# Make sure the certificate file locations in this command match your NGINX config | |
~/.acme.sh/acme.sh --install-cert -d <YOUR_DOMAIN> \ | |
--cert-file /etc/nginx/ssl/<YOUR_DOMAIN>.cert.pem \ | |
--key-file /etc/nginx/ssl/<YOUR_DOMAIN>.key.pem \ | |
--fullchain-file /etc/nginx/ssl/<YOUR_DOMAIN>.fullchain.pem \ | |
--reloadcmd "systemctl reload nginx.service" | |
# Done! | |
# You should be all set now. The certs will be automatically renewed every 60 days. | |
# If you need to stop renewal in the future use the command | |
acme.sh --remove -d <YOUR_DOMAIN> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment