How to Install ACME SSL Certificates on Apache & NGINX?

1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 5.00 out of 5)
Loading...
ACME Certificate Installation on Apache

Setting up ACME on both NGINX and Apache Web Servers 

Installing an ACME SSL certificate is most efficiently done using clients like Certbot (recommended for most users) or acme.sh (a lightweight shell script alternative).

It is now common practice to install ACME-SSL certificates on Apache and NGINX to secure modern web servers. You can use certbot or acme.sh client for this.

I have installed ACME certificates in production servers, cloud environments, and internal testing environments, and the workflow is always the same.

After learning the process, installing and administering SSL will be normal and not complex.

The following are the step-by-step instructions for installing ACME SSL certificates on Apache and NGINX servers.

Method 1: Install ACME Certificate on Apache and NGINX Server using Certbot (Recommended)

Step 1: Prepare Your Server

Before touching SSL, confirm these:

  • Domain name (example.com)
  • DNS A record pointing to your server’s public IP
  • Apache or NGINX is already installed
  • Ports 80 and 443 open
  • Root or sudo access

TEST DNS

ping yourdomain.com or nslookup yourdomain.com

If DNS doesn’t resolve correctly, SSL validation will fail. Fix DNS first.

Check Web Server

For Apache: sudo systemctl status apache2
For NGINX: sudo systemctl status nginx

Make sure it’s running.

Step 2: Install Certbot (ACME Client)

Certbot is the tool that talks to the Certificate Authority and installs SSL automatically.

  • Update packages: sudo apt update
  • Install Certbot: sudo apt install certbot
  • Install Web Server Plugin
For Apache: sudo apt install python3-certbot-apache
For NGINX: sudo apt install python3-certbot-nginx

Now your server is ready to request certificates.

Step 3: Install SSL on Apache

Run: sudo certbot --apache

Certbot will:

  • Detect domains from Apache config
  • Ask for your email
  • Ask you to agree to the terms
  • Ask if you want HTTP → HTTPS redirect
  • Choose redirect

What happens next:

  • Private key generated
  • CSR created
  • Domain ownership verified
  • Certificate downloaded
  • Apache config updated
  • Apache reloaded

Open: https://yourdomain.com

If you see the padlock, you’re done.

Step 4: Install SSL on NGINX

Run: sudo certbot –nginx

Same flow:

  • Select domain
  • Enter email
  • Accept terms
  • Choose redirect

Certbot will:

  • Validate domain
  • Generate certificate
  • Add SSL directives to NGINX
  • Reload NGINX

Test: https://yourdomain.com

HTTPS should now be active.

Step 5: Verify Installed Certificates

Run Command:

sudo certbot certificates

You’ll see:

  • Domain name
  • Expiry date
  • Certificate path
  • Private key path

Take note of expiry.

Step 6: Test Auto Renewal

ACME certificates expire every 90 days.

Certbot installs auto-renewal by default. Test it:

sudo certbot renew --dry-run

If no errors appear, renewal works.

Check the scheduled timer:

sudo systemctl list-timers

Your system should show a certbot renewal task.

Step 7: Firewall and Network Considerations

Check the traffic permitted by the firewall:

  • If using UFW firewall: 
sudo ufw allow 80
sudo ufw allow 443

In the event of these ports being blocked, ACME validation will fail, and renewal will fail.

Method 2: Install ACME SSL on Nginx/Apache using Acme.sh

Step 1: Install acme.sh

bash

curl https://get.acme.sh | sh
source ~/.bashrc

Use the code with caution.

Step 2: Issue the Certificate

Use the server-specific mode to validate your domain:

Apache: acme.sh --issue --apache -d example.com
NGINX: acme.sh --issue --nginx -d example.com

Step 3: Install to Production Path

Note: Don’t point your server config to the internal ~/.acme.sh/ folder. Use the install command to copy them to a permanent location and set a reload command.

For NGINX:

bash
acme.sh --install-cert -d example.com \
--key-file /etc/nginx/ssl/key.pem \
--fullchain-file /etc/nginx/ssl/cert.pem \
--reloadcmd "service nginx force-reload"

For Apache:

bash
acme.sh --install-cert -d example.com \
--cert-file /etc/apache2/ssl/cert.pem \
--key-file /etc/apache2/ssl/key.pem \
--fullchain-file /etc/apache2/ssl/fullchain.pem \
--reloadcmd "service apache2 force-reload"

Step 4: Significant Security Best Practices

Always remember the safety points:

  • Do not share files containing a private key.
  • Have a certificate directory backup.
  • Strong server permissions should be used.
  • Monitor expiry dates
  • Test renewal regularly
  • In case of loss of the private key, the certificate may not be used. You have to regenerate and re-issue.

Conclusion

Installing HTTPS is no longer difficult. One or two commands, and one of your servers is talking encrypted traffic. That’s the easy part. Installing ACME SSL certificates on Apache and NGINX allows you to automate certificate issuance, validation, installation, and renewal, reducing manual effort and helping you prepare for shorter SSL certificate lifespans.

Janki Mehta

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast having 7+ years of experience and knowledge about Encryption, Digital Certificates and Online Security, She helps online users to stay safe and protect their online presence. Explore SSL Errors, Installation Guide and Security Tutorials for Safe Browsing and Web Security Experience.