Create specific folder for certs and allow user to have permission based on group
mkdir /etc/nginx/certs
chmod 770 /etc/nginx/certs
chown root:www-data /etc/nginx/certs
groupmod -a www-data -U dhorn
Add www-data group to sudoers for service (service restart nginx)
echo "%www-data ALL=(ALL:ALL) NOPASSWD:/usr/sbin/service" >/etc/sudoers.d/20_nginx
Shell snippet to let acme service push certificates to nginx
HOST=unifi
dest_name=dhorn
dest_folder="/etc/nginx/certs/"
dest_basename=${HOST}
date 1>&2
scp /conf/acme/${HOST}.key ${dest_name}@${HOST}:${dest_folder}${dest_basename}.key 1>&2
scp /conf/acme/${HOST}.fullchain ${dest_name}@${HOST}:${dest_folder}${dest_basename}.crt 1>&2
ssh ${dest_name}@${HOST} "sudo /usr/sbin/service nginx restart && echo Completed" 1>&2
Snippet of /etc/nginx/nginx.conf
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name unifi.mydomain.com;
ssl_certificate /etc/nginx/certs/unifi.crt;
ssl_certificate_key /etc/nginx/certs/unifi.key;
location /wss {
proxy_pass https://localhost:8443;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_read_timeout 86400;
proxy_set_header Host $host;
}
location / {
proxy_pass https://localhost:8443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
}
}