Ratodo

夜半观星

我的花园到处是星星的碎片
telegram
github
email
nintendo switch

acme.sh Certificate Application Notes

Introduction#

As one-year free certificates have now basically disappeared, the most time-saving and labor-saving solution is the automatic deployment and update of acme.sh. Although most of my current services are running on serverless systems, having an automated program to obtain valid website certificates at any time is still somewhat necessary. If you, like me, use Cloudflare's services, you can generate a self-signed certificate with a validity of 15 years in the Cloudflare dashboard, which can be verified through the Cloudflare system's https, without the need to deploy public CA certificates. The public CA certificate system will help with automatic application, and the current providers are GTS and Sectigo. Below are some steps and points to note during the application process.
acme.sh Project

Installation and Setup#

Install acme.sh#
curl https://get.acme.sh | sh -s email=my@example.com
Set alias for quick startup#
echo "alias acme.sh='~/.acme.sh/acme.sh'" >> ~/.bashrc
source ~/.bashrc
Test if the installation was successful#
acme.sh --version

A successful return of the version indicates that the installation was successful.

Set default application email#
acme.sh --register-account -m your-email@example.com

Please replace your-email@example.com with the email address you want to set. After setting, subsequent certificate applications will default to using this email.

Choose the certificate issuing authority#

According to the official documentation, acme currently supports five SSL certificate issuers, which are:

  • ZeroSSL.com CA (default)
    • Supports multiple domains & wildcard domains, validity period of 90 days
    • Parent CA: Sectigo (USERTrust ECC Certification Authority)
  • Letsencrypt.org CA
    • Supports multiple domains & wildcard domains, validity period of 90 days
    • Parent CA: ISRG (ISRG Root X1)
  • BuyPass.com CA
    • Supports multiple domains (up to 5 per certificate), validity period of 180 days
    • Parent CA: Buypass (Buypass Class 3 Root CA)
  • SSL.com CA
    • Supports only single domain, registration required, validity period of 90 days
    • Parent CA: SSL.com (SSL.com Root Certification Authority RSA R2)
  • Google.com Public CA
    • Supports multiple domains & wildcard domains, validity period of 90 days
    • Parent CA: GTS (GTS Root R4)
      Based on the above, it is recommended to choose the default ZeroSSL/Let’s Encrypt/GTS, which supports automatic renewal and multiple domains & wildcard domains, making it a one-time application.
Switch certificate authority#
acme.sh --set-default-ca --server zerossl

The --server option indicates the authority to switch to, with options being:

  • zerossl/letsencrypt/buypass/google/ssl.com

The following application steps take ZeroSSL as an example, using the Cloudflare DNS API.

Configure Cloudflare DNS API#

Steps to obtain the API key:

  1. Log in to Cloudflare Dashboard.
  2. Go to My Profile.
  3. Under API Tokens, create an API token with DNS edit permissions, or use the Global API Key.
    Fill in the following code and run it in the terminal.
export CF_Token="your_Cloudflare_API_Token"

It also supports multiple DNS service providers, see Github for details.

Apply for a certificate#
acme.sh --issue --dns dns_cf -d example.com -d '*.example.com'

Apply for certificates for example.com and *.example.com, and you can modify as needed by adding more domains with -d.
If you need to specify the certificate authority, add the --server option.

acme.sh --issue --dns dns_cf -d example.com --server zerossl
Install the certificate#

Choose the corresponding code to install based on your website server version, the following is an example for Apache:

acme.sh --install-cert -d example.com \
--key-file /path/to/your/domain.key \
--fullchain-file /path/to/your/domain.cer \
--reloadcmd "service apache2 reload"

Please manually modify the domain names and paths in the above section; the paths will be provided after the certificate application is completed in the previous step.

Set up regular updates#
acme.sh --renew -d example.com --force

Subsequent certificate updates can be completed automatically without human intervention.

This is the entire process of applying for and configuring certificates with acme.sh, along with a reference for the final effect.

acme.1

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.