ACME
The ACME protocol automates SSL/TLS certificate lifecycle management by enabling direct communication between clients and certificate authorities for issuance, installation, revocation, and replacement of SSL certificates.
The nginx-plus-module-acme module is an NGINX-authored dynamic module that implements the automatic certificate management (ACMEv2) protocol.
The source code for the module is available in the official GitHub repository. The official documentation, including module reference and usage examples, is available on the nginx.org website.
The installation process closely follows the NGINX Plus installation procedure. The module is available as the prebuilt nginx-plus-module-acme package for various Linux distributions and can be installed directly from the official NGINX Plus repository. Prior to installation, you need to add the NGINX Plus package repository for your distribution and update the repository metadata.
-
Check the Technical Specifications page to verify that the module is supported by your operating system.
-
Make sure you have the latest version of NGINX Plus. In Terminal, run the command:
nginx -vExpected output of the command:
nginx version: nginx/1.29.0 (nginx-plus-r35) -
Ensure you have the nginx-repo.crt and nginx-repo.key files from MyF5 Customer Portal in the /etc/ssl/nginx/ directory. These files are required for accessing the NGINX Plus repository.
sudo cp <downloaded-file-name>.crt /etc/ssl/nginx/nginx-repo.crt && \ sudo cp <downloaded-file-name>.key /etc/ssl/nginx/nginx-repo.keyFor Alpine, the nginx-repo.crt to /etc/apk/cert.pem and nginx-repo.key files should be added to /etc/apk/cert.key. Ensure these files contain only the specific key and certificate as Alpine Linux does not support mixing client certificates for multiple repositories.
For FreeBSD, the path to these files should also be added to the
/usr/local/etc/pkg.conffile:PKG_ENV: { SSL_NO_VERIFY_PEER: "1", SSL_CLIENT_CERT_FILE: "/etc/ssl/nginx/nginx-repo.crt", SSL_CLIENT_KEY_FILE: "/etc/ssl/nginx/nginx-repo.key" } -
Ensure that all required dependencies for your operating system are installed.
For Amazon Linux 2023, AlmaLinux, CentOS, Oracle Linux, RHEL, and Rocky Linux:
sudo dnf update && \ sudo dnf install ca-certificatesFor Debian:
sudo apt update && \ sudo apt install apt-transport-https \ lsb-release \ ca-certificates \ wget \ gnupg2 \ debian-archive-keyringFor Ubuntu:
sudo apt update && \ sudo apt install apt-transport-https \ lsb-release \ ca-certificates \ wget \ gnupg2 \ ubuntu-keyringFor FreeBSD:
sudo pkg update && \ sudo pkg install ca_root_nss -
Ensure that the NGINX signing key has been added, if required by your operating system.
For Debian:
wget -qO - https://cs.nginx.com/static/keys/nginx_signing.key \ | gpg --dearmor \ | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/nullFor Ubuntu:
printf "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ https://pkgs.nginx.com/plus/ubuntu `lsb_release -cs` nginx-plus\n" \ | sudo tee /etc/apt/sources.list.d/nginx-plus.listFor Alpine:
sudo wget -O /etc/apk/keys/nginx_signing.rsa.pub https://cs.nginx.com/static/keys/nginx_signing.rsa.pub -
Ensure that your package management system is configured to pull packages from the NGINX Plus repository. See Installing NGINX Plus for details.
-
Update the repository information and install the
nginx-plus-module-acmepackage. In a terminal, run the appropriate command for your operating system.For CentOS, Oracle Linux, and RHEL:
sudo yum update && \ sudo yum install nginx-plus-module-acmeFor Amazon Linux 2023, AlmaLinux, Rocky Linux:
sudo dnf update && \ sudo dnf install nginx-plus-module-acmeFor Debian and Ubuntu:
sudo apt update && \ sudo apt install nginx-plus-module-acmeFor Alpine:
sudo apk update && \ sudo apk add nginx-plus-module-acmeFor FreeBSD:
sudo pkg update && \ sudo pkg install nginx-plus-module-acmeThe resulting
ngx_http_acme_module.sodynamic module will be written to the following directory, depending on your operating system:
/usr/lib64/nginx/modules/for most Linux distributions/usr/lib/nginx/modulesfor Debian, Ubuntu, Alpine/usr/local/etc/nginx/modulesfor FreeBSD
-
Enable dynamic loading of the module.
-
In a text editor, open the NGINX Plus configuration file (
/etc/nginx/nginx.conffor Linux or/usr/local/etc/nginx/nginx.conffor FreeBSD). -
On the top-level (or “
main”) context, specify the path to the dynamic module with theload_moduledirective:
load_module modules/ngx_http_acme_module.so; http { #... }- Save the configuration file.
-
-
Test the NGINX Plus configuration. In a terminal, type-in the command:
nginx -tExpected output of the command:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf is successful -
Reload the NGINX Plus configuration to enable the module:
nginx -s reload
In a text editor, open the NGINX Plus configuration file:
/etc/nginx/nginx.conffor Linux/usr/local/etc/nginx/nginx.conffor FreeBSD
For a complete list of directives, embedded variables, default span attributes, refer to the ngx_http_acme_module official documentation.
List of directives:
https://nginx.org/en/docs/http/ngx_http_acme_module.html#directives
List of variables:
https://nginx.org/en/docs/http/ngx_http_acme_module.html#variables
resolver 127.0.0.1:53;
acme_issuer example {
uri https://acme.example.com/directory;
# contact admin@example.test;
state_path /var/cache/nginx/acme-example;
accept_terms_of_service;
}
acme_shared_zone zone=ngx_acme_shared:1M;
server {
listen 443 ssl;
server_name .example.test;
acme_certificate example;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
# do not parse the certificate on each request
ssl_certificate_cache max=2;
}
server {
# listener on port 80 is required to process ACME HTTP-01 challenges
listen 80;
location / {
return 404;
}
}