Automating TLS Certificates in Angie: Complete ACME Module Guide
The ACME module in the Angie web server automates obtaining and renewing TLS certificates, including wildcard ones, with minimal effort. Built-in ACME protocol support eliminates the need for external tools like certbot, simplifying site security setup and management.
Setting Up HTTP Challenges for Standard Certificates
To obtain certificates via HTTP challenges (HTTP-01), start by defining properties in the acme_client directive within the http context. Here's an example configuration for RSA and ECDSA certificates:
http {
resolver 127.0.0.53 ipv6=off;
acme_client rsa https://acme-v02.api.letsencrypt.org/directory key_type=rsa;
acme_client ecdsa https://acme-v02.api.letsencrypt.org/directory;
}
Then configure your server to use these certificates:
server {
listen 443 ssl;
server_name site.ru www.site.ru test.site.ru company.ru;
acme rsa;
acme ecdsa;
ssl_certificate $acme_cert_rsa;
ssl_certificate_key $acme_cert_key_rsa;
ssl_certificate $acme_cert_ecdsa;
ssl_certificate_key $acme_cert_key_ecdsa;
}
Angie will automatically open port 80 for HTTP challenges unless specified otherwise via acme_http_port. Monitor certificate issuance through error_log or the API, with notice-level messages for successful renewals.
Obtaining Wildcard Certificates via DNS Verification
DNS challenges (DNS-01) are required for wildcard certificates that cover second-level domains and all third-level subdomains. Use zone delegation by creating DNS records in your hosting panel:
_acme-challenge.site.ru. 60 IN NS ns.site.ru.
ns.site.ru. 60 IN A {server_IP}
Then set up acme_client with the challenge=dns parameter:
http {
resolver 127.0.0.53 ipv6=off;
acme_client ecdsa https://acme-v02.api.letsencrypt.org/directory challenge=dns;
server {
listen 443 ssl;
server_name site.ru *.site.ru;
acme ecdsa;
ssl_certificate $acme_cert_ecdsa;
ssl_certificate_key $acme_cert_key_ecdsa;
}
}
Angie will open port 53 for DNS queries; use acme_dns_port to avoid conflicts with local services.
Alternative Methods and Advanced Features
When standard challenges aren't feasible, the ACME module supports custom hooks to offload file creation or DNS record management to external apps. It also supports the TLS-ALPN-01 method, useful when port 80 can't be opened, enabled via challenge=alpn.
Key Benefits
- Automation: Angie's ACME module fully automates TLS certificate issuance and renewal, including wildcards, without manual intervention.
- Flexibility: Supports HTTP-01, DNS-01, and TLS-ALPN-01 challenges, plus custom hooks for complex setups.
- Performance: Certificates load into server memory and can be cached with
ssl_certificate_cachefor optimization. - Compatibility: Works with any ACME-compliant provider, like Let's Encrypt.
- Monitoring: Integrates with
error_logand API for certificate status tracking.
Practical Tips for Implementation
When setting up the ACME module, keep these points in mind:
- Testing: Use Let's Encrypt's staging environment for initial setups to avoid rate limits.
- Security: Ensure the
resolverDNS server is trusted and disable IPv6 if needed. - Caching: Configure
ssl_certificate_cacheto boost performance, especially with certificate variables. - Ports: Control challenge ports with
acme_http_portandacme_dns_portto prevent conflicts.
Angie's ACME module is a powerful tool that streamlines TLS certificate management, cutting operational costs and boosting web app security. Its seamless integration lets developers and admins focus on core tasks instead of routine maintenance.
— Editorial Team
No comments yet.