acme.sh
acme.sh is an ACME client written in Shell which has full ACME protocol implementation, supports IPv6, wildcard certs.
Usage
The acme.sh package does not provide its man pages, but a wiki page exists on the project's website. acme.sh --help also outputs a long list of commands and parameters.
There are three steps involved:
- Requesting a certificate to be issued.
- Installing the issued certificate, to make it useful.
- Maintaining the certificate over time.
The first 2 steps are summarized at the bottom of https://git.guilhem.org/lacme/about/, starting with the words "Requesting new Certificate Issuance with the ACME protocol".
Issuing a new cert
You can specify any domain by -d.
Use specifying webroot method:
$ acme.sh --issue -d example.com -d www.example.com -d cp.example.com -d '*.example.com' -w /home/wwwroot/example.com
or, use standslone mode by adding --standalone if you got socat installed and no web server is running:
$ acme.sh --issue --standalone -d example.com -d www.example.com -d cp.example.com
or use Nginx mode:
$ acme.sh --issue --nginx -d example.com -d www.example.com -d cp.example.com
or use DNS mode (see official wiki for more):
$ acme.sh --issue -d example.com -d '*.example.com' --dns dns_he
See more examples here.
Install the cert to Apache/Nginx etc
Nginx:
$ acme.sh --install-cert -d example.com --key-file '/path/to/keyfile/in/nginx/example.key' --fullchain-file '/path/to/fullchain/nginx/example.cer' --reloadcmd "systemctl force-reload nginx"
Apache:
$ acme.sh --install-cert -d example.com --cert-file '/path/to/certfile/in/apache/example.cer' --key-file '/path/to/keyfile/in/apache/example.key' --fullchain-file '/path/to/fullchain/certfile/apache/example.fullchain.cer' --reloadcmd "systemctl force-reload nginx apache2"
Maintaining a cert
The certs will be renewed every 60 days. To run acme.sh regularly, a systemd timer may be set up.