Back to Home

Automation of TLS Certificates in Angie with ACME Module: Guide

The article is dedicated to setting up the ACME module in the Angie web server for automatic obtaining and renewal of TLS certificates. It covers HTTP and DNS verification methods, including wildcard certificates, with practical configuration examples.

Automate TLS Certificates in Angie: Complete ACME Guide
Advertisement 728x90

Automating TLS Certificates in Angie: Complete ACME Module Guide

The ACME module in the Angie web server automates obtaining and renewing TLS certificates, including wildcard ones, with minimal effort. Built-in ACME protocol support eliminates the need for external tools like certbot, simplifying site security setup and management.

Setting Up HTTP Challenges for Standard Certificates

To obtain certificates via HTTP challenges (HTTP-01), start by defining properties in the acme_client directive within the http context. Here's an example configuration for RSA and ECDSA certificates:

http {
  resolver 127.0.0.53 ipv6=off;
  acme_client rsa      https://acme-v02.api.letsencrypt.org/directory key_type=rsa;
  acme_client ecdsa    https://acme-v02.api.letsencrypt.org/directory;
}

Then configure your server to use these certificates:

Google AdInline article slot
server {
  listen 443 ssl;
  server_name site.ru www.site.ru test.site.ru company.ru;
  acme rsa;
  acme ecdsa;
  ssl_certificate         $acme_cert_rsa;
  ssl_certificate_key $acme_cert_key_rsa;
  ssl_certificate         $acme_cert_ecdsa;
  ssl_certificate_key $acme_cert_key_ecdsa;
}

Angie will automatically open port 80 for HTTP challenges unless specified otherwise via acme_http_port. Monitor certificate issuance through error_log or the API, with notice-level messages for successful renewals.

Obtaining Wildcard Certificates via DNS Verification

DNS challenges (DNS-01) are required for wildcard certificates that cover second-level domains and all third-level subdomains. Use zone delegation by creating DNS records in your hosting panel:

_acme-challenge.site.ru. 60    IN      NS       ns.site.ru.
             ns.site.ru. 60    IN       A       {server_IP}

Then set up acme_client with the challenge=dns parameter:

Google AdInline article slot
http {
  resolver 127.0.0.53 ipv6=off;
  acme_client ecdsa    https://acme-v02.api.letsencrypt.org/directory challenge=dns;
  server {
    listen 443 ssl;
    server_name site.ru *.site.ru;
    acme ecdsa;
    ssl_certificate         $acme_cert_ecdsa;
    ssl_certificate_key $acme_cert_key_ecdsa;
  }
}

Angie will open port 53 for DNS queries; use acme_dns_port to avoid conflicts with local services.

Alternative Methods and Advanced Features

When standard challenges aren't feasible, the ACME module supports custom hooks to offload file creation or DNS record management to external apps. It also supports the TLS-ALPN-01 method, useful when port 80 can't be opened, enabled via challenge=alpn.

Key Benefits

  • Automation: Angie's ACME module fully automates TLS certificate issuance and renewal, including wildcards, without manual intervention.
  • Flexibility: Supports HTTP-01, DNS-01, and TLS-ALPN-01 challenges, plus custom hooks for complex setups.
  • Performance: Certificates load into server memory and can be cached with ssl_certificate_cache for optimization.
  • Compatibility: Works with any ACME-compliant provider, like Let's Encrypt.
  • Monitoring: Integrates with error_log and API for certificate status tracking.

Practical Tips for Implementation

When setting up the ACME module, keep these points in mind:

Google AdInline article slot
  • Testing: Use Let's Encrypt's staging environment for initial setups to avoid rate limits.
  • Security: Ensure the resolver DNS server is trusted and disable IPv6 if needed.
  • Caching: Configure ssl_certificate_cache to boost performance, especially with certificate variables.
  • Ports: Control challenge ports with acme_http_port and acme_dns_port to prevent conflicts.

Angie's ACME module is a powerful tool that streamlines TLS certificate management, cutting operational costs and boosting web app security. Its seamless integration lets developers and admins focus on core tasks instead of routine maintenance.

— Editorial Team

Advertisement 728x90

Read Next