Get Rewarded! We will reward you with up to €50 credit on your account for every tutorial that you write and we publish!

Automating SSL Certificate Issuance with acme.sh through DNS

profile picture
Author
chunzhimoe
Published
2023-09-07
Time to read
4 minutes reading time

About the author- hello,neko

Introduction

This article aims to document the process of automating SSL certificate issuance and serves as a reference for future applications. Two main tools are:

  • Certbot is recommended for single-server deployments, as it has simpler commands and primarily supports foreign DNS providers compared to acme.sh.
  • Acme.sh, on the other hand, is a shell-based tool that offers better performance and supports multiple DNS provider APIs, making it suitable for automating SSL certificates and nginx deployment.

This article explains how to use acme.sh to issue certificates on your own server. For Certbot, see "Add SSL Certificate with Let's Encrypt to Nginx".

Prerequisites

  • Server with Ubuntu as OS
  • Domain name
  • DNS API token

Example terminology

  • Email: mail@example.com

Step 1 - Installing acme.sh

For issuing certificates using acme.sh, it is recommended to use Hetzner Cloud, which provides a high-performance server at a low price, and you can easily remember the renewal command for certificate renewal. However, you can also use any other provider.

On your server, run:

git clone https://github.com/acmesh-official/acme.sh.git
cd ~/acme.sh
./acme.sh --install -m mail@example.com

Replace mail@example.com with your email address.

Once the installation is complete, the installation path will be displayed.

Step 2 - Modifying Automated DNS

You can find various API options for different DNS providers in the acme.sh repository and in this directory:

cd ~/acme.sh/dnsapi

If you are unsure which one to use, refer to the acme.sh wiki for guidance.

For demonstration purposes, I will use Hetzner DNS. Note that the API keys provided by each DNS provider may differ. Choose the best provider for you. For Hetzner DNS, you can get your API key in the Hetzner DNS Console.

Note down the key for your DNS provider.

Find the corresponding script for your DNS provider, such as dns_hetzner.sh for Hetzner. To add the API token, you can either:

  • Edit the file manually

    nano ~/acme.sh/dnsapi/dns_hetzner.sh
  • Use the export command

    export HETZNER_Token="<token>"

    Replace HETZNER_Token with the variable used in the file of your DNS provider and replace <token> with your actual API token.

    You can view the saved API token with cat ~/.acme.sh/account.conf.

Step 3 - Issuing Certificates

By default, acme.sh uses ZeroSSL as Certificate Authority (CA). If you're looking for specific CAs, e.g. BuyPass.com CA, you can check out the official acme.sh repository on GitHub.

Starting from acme.sh v3.0.6, the default key algorithm is ec-256, not RSA2048. If your CA only supports RSA4096 and below, you need to specify the key length as -k 2048 at the end of the command to issue a free certificate.

The commit in the acmesh-official/acme.sh repository on GitHub:
»» Use ec-256 as default key length ««

Run the following command to issue the certificate:

cd ~/acme.sh
./acme.sh --issue --dns dns_hetzner -d example.com -d *.example.com

This command performs automatic DNS verification. Once the verification is successful, you can find them in the designated location. Simply open the files with a text editor to view the details.

Conclusion

In this tutorial, you learned how to issue SSL certificates using acme.sh. With these instructions, you can easily secure your websites and services with SSL certificates.

License: MIT
Want to contribute?

Get Rewarded: Get up to €50 in credit! Be a part of the community and contribute. Do it for the money. Do it for the bragging rights. And do it to teach others!

Report Issue
Try Hetzner Cloud

Get €20/$20 free credit!

Valid until: 31 December 2025 Valid for: 3 months and only for new customers
Get started
Want to contribute?

Get Rewarded: Get up to €50 credit on your account for every tutorial you write and we publish!

Find out more