Nginx +acme+letsencrypt Unable to get local issuer certificate

I do not get you.
Got a certificate.

1. acme.sh --issue -d dom.ru -d www.dom.ru -w /usr/local/www/cert --server letsencrypt
2. acme.sh --install-cert -d dom.ru --cert-file /etc/nginx/acme.sh/dom.ru/dom.ru.pem --key-file /etc/nginx/acme.sh/dom.ru/key.pem --fullchain-file /etc/nginx/acme.sh/dom.ru/fullchain.pem
   ...
   ...
   ...
   -----END CERTIFICATE-----
   [Wed Oct 12 16:54:54 +03 2022] Your cert is in: /var/db/acme/certs/dom.ru/dom.ru.cer
   [Wed Oct 12 16:54:54 +03 2022] Your cert key is in: /var/db/acme/certs/dom.ru/dom.ru.key
   [Wed Oct 12 16:54:54 +03 2022] The intermediate CA cert is in: /var/db/acme/certs/dom.ru/ca.cer
   [Wed Oct 12 16:54:54 +03 2022] And the full chain certs is there: /var/db/acme/certs/dom.ru/fullchain.cer

Let's say there will be more than 10 certificates.
I don't understand how to automate this process.
Checks for certificate updates every 7 days.
With certbat, I just added in cron script
20 7 */7 * * sh /root/letsencrypt_update

cat /root/letsencrypt_update 
#!/bin/sh
/usr/local/bin/certbot -q renew --allow-subset-of-names
/usr/local/etc/rc.d/nginx reload
exit 0

I'll think about your advice.

What shows?:
crontab -l

Which client will you be using?

Read:
https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_trusted_certificate

client?

Yes.

Simpler:

acme.sh --install-cert -d dom.ru \
    --key-file /etc/nginx/acme.sh/dom.ru/key.pem \
    --fullchain-file /etc/nginx/acme.sh/dom.ru/fullchain.pem \
    --reloadcmd "service nginx reload"

You don't need cert-file when your server uses fullchain-file (fullchain-file = cert-file + chain-file)

You want to add --reloadcmd so that acme.sh can tell nginx to use the new certificate whenever it gets automatically renewed.

And so for each certificate to do renewal?
Checks for certificate updates every 7 days in cron script.

#!/bin/sh
acme.sh --issue -d dom.ru -d www.dom.ru -w /usr/local/www/cert --server letsencrypt
acme.sh --install-cert -d dom.ru --cert-file /etc/nginx/acme.sh/dom.ru/dom.ru.pem --key-file /etc/nginx/acme.sh/dom.ru/key.pem --fullchain-file /etc/nginx/acme.sh/dom.ru/fullchain.pem --reloadcmd "service nginx reload"

Right?
I don't fully understand the logic of the certificate renewal action from acme.sh.

That only works if you use the acme.sh native automation

Don't roll your own script, and let acme.sh install its own:

acme.sh --install-cronjob

acme.sh will remember the options, you don't need to tell them each time.

acme.sh --issue -d dom.ru -d www.dom.ru -w /usr/local/www/cert --server letsencrypt
acme.sh --install-cert -d dom.ru --cert-file /etc/nginx/acme.sh/dom.ru/dom.ru.pem --key-file /etc/nginx/acme.sh/dom.ru/key.pem --fullchain-file /etc/nginx/acme.sh/dom.ru/fullchain.pem --reloadcmd "service nginx reload"

acme.sh myself auto perform these actions at the right time?
Should I add something to the cron to do this?

No, acme.sh will do it if you ask, no need to add crontabs manually. (It has probably done it already, see @rg305's post)

You also have this option: Using systemd units instead of cron · acmesh-official/acme.sh Wiki · GitHub

(And, btw: once per week isn't enough. The recommendation is twice per day.)

$ crontab -l
25 0 * * * /usr/local/sbin/acme.sh --cron --home "/var/db/acme/.acme.sh" > /dev/null

That looks fine. You can change minute and hour to random values, and maybe add some random wait before the command.

But it looks fine.

I would replace

25 0 * * * /usr/local/sbin/acme.sh --cron --home "/var/db/acme/.acme.sh" > /dev/null

With

25 0,8,16 * * * perl -e 'sleep int(rand(3600))' && /usr/local/sbin/acme.sh --cron --home "/var/db/acme/.acme.sh"

But that's advanced stuff. Only do it if you know what it does.

I think enough to launch once a week.
What for every day or several times a day?

That command can fail through no fault of your own.

Once per week means you are 4 failures from serving an expired certificate. Twice per day makes it 60 failures -- three, as in my example, makes it 90 failures.

I tried to run it now.

$ acme.sh --install-cert -d dom.ru --key-file /etc/nginx/acme.sh/dom.ru/key.pem --fullchain-file /etc/nginx/acme.sh/dom.ru/fullchain.pem --reloadcmd "service nginx reload"
[Fri Oct 14 11:59:48 +03 2022] Installing key to: /etc/nginx/acme.sh/dom.ru/key.pem
[Fri Oct 14 11:59:48 +03 2022] Installing full chain to: /etc/nginx/acme.sh/dom.ru/fullchain.pem
[Fri Oct 14 11:59:48 +03 2022] Run reload cmd: service nginx reload
nginx not running? (check /var/run/nginx.pid).
[Fri Oct 14 11:59:48 +03 2022] Reload error for :
$

How do I understand the rights to restart the nginx process are not enough for the acme user?

That's... very specific of your system.

I might suggest creating a reload-nginx.sh script and allowing the acme user to run it with sudo and no password?

I run certificate updates under the normal user acme.
Under the acme user, it will not be possible to reload nginx.
If the certificate has been updated, then create a file.
--reloadcms "touch /var/db/acme/.restart_nginx"

further cron from under the root user, we check the creation of the file (/var/db/acme/.restart_nginx), and after a soft reboot of nginx.

root script cron

#!/bin/sh
if [ -f /var/db/acme/.restart_nginx ]; then
  service nginx reload
  rm -rf /var/db/acme/.restart_nginx
fi

cron acme
Check the certificate 2 times a day.

cron root
Check the file (/var/db/acme/.restart_nginx) in the same way, 2 times a day.

It's easier than that: https://www.cyberciti.biz/faq/linux-unix-running-sudo-command-without-a-password/

sudo is evil!
sudo should only be used on the home computer. )