Introduction
This article aims to document the process of automating SSL certificate issuance and serves as a reference for future applications. Two main tools are:
- Certbot is recommended for single-server deployments, as it has simpler commands and primarily supports foreign DNS providers compared to acme.sh.
- Acme.sh, on the other hand, is a shell-based tool that offers better performance and supports multiple DNS provider APIs, making it suitable for automating SSL certificates and nginx deployment.
This article explains how to use acme.sh to issue certificates on your own server. For Certbot, see "Add SSL Certificate with Let's Encrypt to Nginx".
Prerequisites
- Server with Ubuntu as OS
- Domain name
- DNS API token
Example terminology
- Email:
mail@example.com
Step 1 - Installing acme.sh
For issuing certificates using acme.sh, it is recommended to use Hetzner Cloud, which provides a high-performance server at a low price, and you can easily remember the renewal command for certificate renewal. However, you can also use any other provider.
On your server, run:
git clone https://github.com/acmesh-official/acme.sh.git
cd ~/acme.sh
./acme.sh --install -m mail@example.com
Replace
mail@example.com
with your email address.
Once the installation is complete, the installation path will be displayed.
Step 2 - Modifying Automated DNS
You can find various API options for different DNS providers in the acme.sh repository and in this directory:
cd ~/acme.sh/dnsapi
If you are unsure which one to use, refer to the acme.sh wiki for guidance.
For demonstration purposes, I will use Hetzner DNS. Note that the API keys provided by each DNS provider may differ. Choose the best provider for you. For Hetzner DNS, you can get your API key in the Hetzner DNS Console.
Note down the key for your DNS provider.
Find the corresponding script for your DNS provider, such as dns_hetzner.sh
for Hetzner. To add the API token, you can either:
-
Edit the file manually
nano ~/acme.sh/dnsapi/dns_hetzner.sh
-
Use the
export
commandexport HETZNER_Token="<token>"
Replace
HETZNER_Token
with the variable used in the file of your DNS provider and replace<token>
with your actual API token.You can view the saved API token with
cat ~/.acme.sh/account.conf
.
Step 3 - Issuing Certificates
By default, acme.sh uses ZeroSSL as Certificate Authority (CA). If you're looking for specific CAs, e.g. BuyPass.com CA, you can check out the official
acme.sh
repository on GitHub.
Starting from acme.sh v3.0.6, the default key algorithm is ec-256, not RSA2048. If your CA only supports RSA4096 and below, you need to specify the key length as -k 2048
at the end of the command to issue a free certificate.
The commit in the acmesh-official/acme.sh
repository on GitHub:
»» Use ec-256 as default key length ««
Run the following command to issue the certificate:
cd ~/acme.sh
./acme.sh --issue --dns dns_hetzner -d example.com -d *.example.com
This command performs automatic DNS verification. Once the verification is successful, you can find them in the designated location. Simply open the files with a text editor to view the details.
Conclusion
In this tutorial, you learned how to issue SSL certificates using acme.sh. With these instructions, you can easily secure your websites and services with SSL certificates.