Using acme.sh to generate LetsEncrypt certificates
I have been using LetsEncrypt since it came out. Its great to have the ability to create free SSL certificates and more importantly don’t have to worry about renewing them.
A couple of months ago I run into some issues where LetsEncrypt (and later certbot) would fail as they were missing some dependencies. That in turn would sometime cause some of my services to shut down. Which became an issue.
Primarily it had to do with the OS I was using at the time. CentOS 6.5.
It also made it difficult to generate certificates using DNS challenge — I suppose due to an older version I was running.
Twitter to the rescue. I got pointed to acme.sh
Getting started with acme.sh
acme.sh is a Shell implementation for generating LetsEncrypt certificates. It doesn’t matter what OS you’re using and also works great with DNS challenge!
You can install using git, wget or curl. i.e.
curl https://get.acme.sh | sh
This will copy acme.sh to your home dir, create an alias and setup a monthly cron. To use, restart your terminal or use source. i.e.
Depending on the privileges of the account you’ve used, it may be easier to move the cron to the su account. i.e. sudo crontab -e
To see the cron, run:
You can use crontab.guru to see what the crontab time frequency has been set to.
Using DNS Challenge with acme.sh
Run the following command to specify the domain:
acme.sh --issue --dns -d www.phpminds.org
The above command will generate an authentication token for that domain and will ask to create a TXT record under the “_acme-challenge” subdomain for your domain. In this example that would be: “_acme-challenge.www.phpminds.org”
The information for that domain will be saved in a configuration file in your home dir. e.g. “~/.acme.sh/www.phpminds.org/www.phpminds.org.conf”
We can use dig to find out when the value has been updated in the DNS (need to add that manually in your DNS management control panel).
dig -t txt _acme-challenge.www.phpminds.org
Once the TXT record has propagated, we can then generate the first certificate:
acme.sh --renew -d www.phpminds.org
Now all the certificates have been issued and stored in your home dir, under “~/.acme.sh” in a folder with the name of your domain.
To install the issued certificates, acme.sh recommends using the following command to copy the certificates in the required location. This is so this process can be automated without depending on any existing file structure within the “~/.acme.sh” directory.
Install issued certificates
For nginx and for the above example we’ve used the following:
(1) Create the directory where you want the certificates to be copied to. e.g.
sudo mkdir -p /etc/ssl/www.phpminds.org/
(2) Move the certificates to their corresponding paths:
sudo /home/phpminds-user/.acme.sh/acme.sh --install-cert -d www.phpminds.org \
--keypath /etc/ssl/www.phpminds.org/privkey.pem \
--fullchainpath /etc/ssl/www.phpminds.org/fullchain.pem \
--reloadcmd "service nginx force-reload"
Here I’ve used sudo as I want the ability to be able restart the nginx server.
See the acme.sh official documentation for use with apache.
The last step we need to do is point the nginx configuration for our domain to the certificates we have created under “/etc/ssl”
Restart the web server, and you’re done.