! wiki title: Installation on NGINX Running on Alma Linux 9 - grindsa/acme2certifier GitHub Wiki

Installation on NGINX Running on Alma Linux 9

The setup is designed so that uWSGI serves acme2certifier, while NGINX acts as a reverse proxy for better connection handling.

A ready-made shell script performing the tasks below can be found in the examples/install_scripts directory.

1. Download and Extract the Archive

cd /tmp
curl https://codeload.github.com/grindsa/acme2certifier/tar.gz/refs/heads/master -o a2c-master.tgz
tar xvfz a2c-master.tgz
cd /tmp/acme2certifier-master

2. Install Required Packages

sudo yum install -y epel-release
sudo yum update -y
sudo yum install -y python-pip nginx python3-uwsgidecorators.x86_64 tar uwsgi-plugin-python3 policycoreutils-python-utils

3. Set Up the Project Directory

sudo mkdir /opt/acme2certifier

4. Install Required Python Modules

sudo pip install -r /opt/acme2certifier/requirements.txt

5. Configure acme2certifier

  1. Create a configuration file acme_srv.cfg in /opt/acme2certifier/acme_srv/, or use the example stored in the examples directory.
  2. Modify the configuration file according to your needs.
  3. Set the handler_file parameter in acme_srv.cfg, or copy the appropriate CA handler from /opt/acme2certifier/examples/ca_handler/ to /opt/acme2certifier/acme_srv/ca_handler.py.
  4. Configure the connection to your CA server. Example for Insta Certifier.

6. Activate the WSGI Database Handler

sudo cp /opt/acme2certifier/examples/db_handler/wsgi_handler.py /opt/acme2certifier/acme_srv/db_handler.py

7. Copy the WSGI Application File

sudo cp /opt/acme2certifier/examples/acme2certifier_wsgi.py /opt/acme2certifier/

8. Set Correct Permissions

sudo chmod a+x /opt/acme2certifier/acme_srv
sudo chown -R nginx /opt/acme2certifier/acme_srv

9. Test acme2certifier by Starting the Application

cd /opt/acme2certifier
sudo uwsgi --http-socket :8000 --plugin python3 --wsgi-file acme2certifier_wsgi.py

10. Verify Directory Access

Run the following command in a parallel session to confirm that everything is working:

curl http://127.0.0.1:8000/directory

Expected response:

{
  "newAccount": "http://127.0.0.1:8000/acme_srv/newaccount",
  "fa8b347d3849421ebc4b234205418805": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "http://127.0.0.1:8000/acme_srv/key-change",
  "newNonce": "http://127.0.0.1:8000/acme_srv/newnonce",
  "meta": {
    "home": "https://github.com/grindsa/acme2certifier",
    "author": "grindsa <[email protected]>"
  },
  "newOrder": "http://127.0.0.1:8000/acme_srv/neworders",
  "revokeCert": "http://127.0.0.1:8000/acme_srv/revokecert"
}

11. Set Up uWSGI

  1. Create a uWSGI configuration file, or use the one stored in examples/nginx:
sudo cp examples/nginx/acme2certifier.ini /opt/acme2certifier
  1. Enable the Python3 module in the uWSGI configuration file:
echo "plugins = python3" | sudo tee -a examples/nginx/acme2certifier.ini
  1. Create a Systemd Unit File for uWSGI, or use the one in examples/nginx:
sudo cp examples/nginx/uwsgi.service /etc/systemd/system/
sudo systemctl enable uwsgi.service
  1. Start uWSGI as a service:
sudo systemctl start uwsgi

12. Configure NGINX as a Reverse Proxy

  1. Use the example stored in examples/nginx and modify it as needed:
sudo cp examples/nginx/nginx_acme.conf /etc/nginx/conf.d/acme.conf
  1. Restart NGINX:
sudo systemctl restart nginx

13. Adapt SELinux Configuration

Apply a customized policy to allow NGINX to communicate with uWSGI over Unix sockets:

sudo checkmodule -M -m -o acme2certifier.mod examples/nginx/acme2certifier.te
sudo semodule_package -o acme2certifier.pp -m acme2certifier.mod
sudo semodule -i acme2certifier.pp

14. Test the Server

curl http://<your-server-name>/directory

The above command may result in an error if the SELinux configuration still needs adjustment.

⚠️ **GitHub.com Fallback** ⚠️