HTTPS is Working, but Wondering if I Did it Correctly

I generated a cert using acme.sh with the following syntax: /home/User_1/.acme.sh/acme.sh --issue --dns dns_gd -d my_site.com -d www.my_site.com

This created a .cer and .key, among a few other files in /home/User_1/.acme.sh/my_site.com

In my nginx /etc/nginx/sites-available/my_site config file, I simply pointed to the .cer and .key in /home/User_1/.acme.sh/my_site.com.

Is this correct? The documentation says something about issuing the cert to nginx, but I didn’t fully understand it, and this seemed to work.

1 Like

In acme.sh you are meant to break this up into two steps: issuing and installing.

The first part - issuing - you’ve already done. That was acme.sh --issue.

Part two - installing - is shown in the README: https://github.com/acmesh-official/acme.sh#3-install-the-cert-to-apachenginx-etc

So you will want to do something like:

/home/User_1/.acme.sh/acme.sh --install-cert -d my_site.com \
--key-file       /etc/nginx/my_site.com.key  \
--fullchain-file /etc/nginx/my_site.com.cert \
--reloadcmd     "service nginx force-reload"

Modify your nginx configuration to use the private key and certificate from /etc/nginx/my_site.com.key and /etc/nginx/my_site.com.cert respectively, and then reload nginx one more time.

The main thing this achieves is to reload nginx as necessary when the certificate renews … but you’re also not really supposed to directly use the key and certificate files from inside /home/User_1/.acme.sh, which is why the installation involves copying them elsewhere.

2 Likes

After I do the --install cert, in the future, will the default acme cronjob install the new renewed cert and reload nginx when it runs? Or do I need to create a cron script to do the --install and reload part?

1 Like

Yep, that’s exactly the idea. It will remember how to install the certificate during the existing cronjob and you don’t need to schedule it separately.

2 Likes

Thanks again, everything worked well.

Wondering what the best approach is to have my non-root user’s cron be able to restart the nginx.service. The user is in sudoers but obviously still needs to type in the password to restart the service. (Or am I wrong in assuming that the cron job will need to restart nginx each time the cert updates?)

1 Like

The simple solution would be to run acme.sh as root.

If you are comfortable giving User_1 the ability to non-interactively reload nginx, perhaps, you can add this to /etc/sudoers:

User_1 ALL = (root) NOPASSWD: /usr/sbin/service nginx force-reload

and re-run your acme.sh --install-cert command, but changing the --reloadcmd to include sudo.

2 Likes

Thanks. I guess I misunderstood the docs when it told me not to use sudo, and thought they also meant not to use root. Obviously those two things are pretty different so I shouldn’t have assumed.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.