Generate HTTPS certificates via acme.sh.

What is acme.sh?

acme.sh is an open-source Shell script used for automating the generation and management of HTTPS certificates.

Install

curl https://get.acme.sh | sh -s [email protected]

After installation, acme.sh will appear in your home directory.

~/.acme.sh

Execute the following command to make the environment variables of acme.sh take effect.

source ~/.basrc

Generate certificates

Before generating the certificate, acme.sh needs to verify your ownership of the domain name. There are several verification modes as follows:

HTTP Verification

Apache

If you are using an Apache server.

acme.sh --issue -d mydomain.com --apache

Nginx Server

If you are using an nginx server.

acme.sh --issue -d mydomain.com --nginx

Add file to website root directory.

You can also tell acme.sh the root directory of your website, and acme.sh will automatically add a file for verification.

acme.sh --issue -d mydomain.com --webroot /path-to-the-webroot-of-the-site

DNS Verification

Add record manually

Execute command

acme.sh --issue --dns -d mydomain.com --yes-I-know-dns-manual-mode-enough-go-ahead-please

Then, acme.sh will generate the corresponding parsing record and display it. You just need to add this TXT record in your domain management panel.

Then regenerate the certificate

acme.sh --renew -d mydomain.com --yes-I-know-dns-manual-mode-enough-go-ahead-please

Verify through DNS service provider API.

This should be the most commonly used and recommended verification mode. Taking CloudFlare as an example, please refer to https://github.com/acmesh-official/acme.sh/wiki/dnsapi for applying certificates from other service providers.

Apply for API.

You can get your global API key from your Cloudflare profile page, under the API tokens section. Click "View" next to Global API key, verify your Cloudflare password, and it will be revealed to you. It is a 32-character hexadecimal string that you must provide to acme.sh by setting the environment variable CF_Key to its value. You must also set CF_Email to the email address that is associated with your Cloudflare account; this is the email address you enter when logging in to Cloudflare. For example:

export CF_Key="763eac4f1bcebd8b5c95e9fc50d010b4"
export CF_Email="[email protected]"

Generate certificate.

acme.sh --issue --dns dns_cf -d example.com -d '*.example.com'

View certificate files

After the certificate is generated, you can access ~/.acme.sh/mydomain.com_ecc to view the certificate files. fullchain.cer is the certificate file and mydomain.io.key is the private key file. Both of them are text files that can be uploaded to i18n.so during the site configuration process.

Common issues during the usage of acme.sh

CA

acme.sh now defaults to ZeroSSL as the CA, but often encounters accessibility issues. You can use the following command to switch the CA to Let's Encrypt.

acme.sh --set-default-ca --server letsencrypt

Generate wildcard domain certificate.

Assuming you want to apply for a certificate that is applicable to example.com and *.example.com, you can use the following command to generate a wildcard domain certificate.

acme.sh -d example.com -d *.example.com

Certificate renewal

After acme.sh generates the certificate, it will add a crontab scheduled task to periodically update the certificate. You can use the following command to view the scheduled task, and the updated content is also saved in ~/.acme.sh/mydomain.com_ecc.

crontab -e