acme.sh

From ArchWiki
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Tango-edit-clear.pngThis article or section needs language, wiki syntax or style improvements. See Help:Style for reference.Tango-edit-clear.png

Reason: This article needs some language and minor wiki syntax improvements (Discuss in Talk:Acme.sh)

acme.sh is an ACME client written in Shell which has full ACME protocol implementation, supports IPv6, wildcard certs.

Installation

Install the acme.sh package, and socat if you want to use the standalone mode.

Usage

The acme.sh package does not provide its man pages, but a wiki page exists on the project's website. acme.sh --help also outputs a long list of commands and parameters.

There are three steps involved:

  1. Requesting a certificate to be issued.
  2. Installing the issued certificate, to make it useful.
  3. Maintaining the certificate over time.

The first 2 steps are summarized at the bottom of https://git.guilhem.org/lacme/about/, starting with the words "Requesting new Certificate Issuance with the ACME protocol".

Issuing a new cert

You can specify any domain by -d.

Tip: You might want to specify LetsEncrypt as your default CA, as acme.sh uses ZeroSSL as its default CA effective from August 1st, 2021.

Use specifying webroot method: 

$ acme.sh --issue -d example.com -d www.example.com -d cp.example.com -d '*.example.com' -w /home/wwwroot/example.com

or, use standslone mode by adding --standalone if you got socat installed and no web server is running: 

$ acme.sh --issue --standalone -d example.com -d www.example.com -d cp.example.com

or use Nginx mode: 

$ acme.sh --issue --nginx -d example.com -d www.example.com -d cp.example.com

or use DNS mode (see offical wiki for more): 

$ acme.sh --issue -d example.com -d '*.example.com' --dns dns_he

See more examples here.

Install the cert to Apache/Nginx etc

Nginx: 

$ acme.sh --install-cert -d example.com --key-file '/path/to/keyfile/in/nginx/example.key' --fullchain-file '/path/to/fullchain/nginx/example.cer' --reloadcmd "systemctl force-reload nginx"

Apache: 

$ acme.sh --install-cert -d example.com --cert-file '/path/to/certfile/in/apache/example.cer' --key-file '/path/to/keyfile/in/apache/example.key' --fullchain-file '/path/to/fullchain/certfile/apache/example.fullchain.cer' --reloadcmd "systemctl force-reload nginx apache2"

Maintaining a cert

The certs will be renewed automatically every 60 days.

See also

  • home page and wiki page for the documentation.
  • acme.sh acknowledges acme-tiny. acme-tiny's author has several more acme related utilities at [1]. Those utilities are more basic, and the author goes into more thorough, more under the hood, explanations of what is going on, in order to show their usage.