Using acme.sh to generate LetsEncrypt certificates

LetsEncrypt

I have been using LetsEncrypt since it came out. Its great to have the ability to create free SSL certificates and more importantly don’t have to worry about renewing them.

A couple of months ago I run into some issues where LetsEncrypt (and later certbot) would fail as they were missing some dependencies. That in turn would sometime cause some of my services to shut down. Which became an issue.

Primarily it had to do with the OS I was using at the time. CentOS 6.5.

It also made it difficult to generate certificates using DNS challenge — I suppose due to an older version I was running.

Twitter to the rescue. I got pointed to acme.sh

Getting started with acme.sh

acme.sh is a Shell implementation for generating LetsEncrypt certificates. It doesn’t matter what OS you’re using and also works great with DNS challenge!

You can install using git, wget or curl. i.e.

curl https://get.acme.sh | sh

This will copy acme.sh to your home dir, create an alias and setup a monthly cron. To use, restart your terminal or use source. i.e.

source ~/.bashrc
Depending on the privileges of the account you’ve used, it may be easier to move the cron to the su account. i.e. sudo crontab -e

To see the cron, run:

crontab -e

You can use crontab.guru to see what the crontab time frequency has been set to.

Using DNS Challenge with acme.sh

Run the following command to specify the domain:

acme.sh --issue --dns -d www.phpminds.org

The above command will generate an authentication token for that domain and will ask to create a TXT record under the “_acme-challenge” subdomain for your domain. In this example that would be: “_acme-challenge.www.phpminds.org

The information for that domain will be saved in a configuration file in your home dir. e.g. “~/.acme.sh/www.phpminds.org/www.phpminds.org.conf

We can use dig to find out when the value has been updated in the DNS (need to add that manually in your DNS management control panel).

dig -t txt _acme-challenge.www.phpminds.org

Once the TXT record has propagated, we can then generate the first certificate:

acme.sh --renew -d www.phpminds.org

Now all the certificates have been issued and stored in your home dir, under “~/.acme.sh” in a folder with the name of your domain.

To install the issued certificates, acme.sh recommends using the following command to copy the certificates in the required location. This is so this process can be automated without depending on any existing file structure within the “~/.acme.sh” directory.

Install issued certificates

For more info see: https://github.com/Neilpang/acme.sh#3-install-the-issued-cert-to-apachenginx-etc

For nginx and for the above example we’ve used the following:

(1) Create the directory where you want the certificates to be copied to. e.g.

sudo mkdir -p /etc/ssl/www.phpminds.org/

(2) Move the certificates to their corresponding paths:

sudo /home/phpminds-user/.acme.sh/acme.sh --install-cert -d www.phpminds.org \
--keypath /etc/ssl/www.phpminds.org/privkey.pem \
--fullchainpath /etc/ssl/www.phpminds.org/fullchain.pem \
--reloadcmd "service nginx force-reload"

Here I’ve used sudo as I want the ability to be able restart the nginx server.

See the acme.sh official documentation for use with apache.

Updating nginx

The last step we need to do is point the nginx configuration for our domain to the certificates we have created under “/etc/ssl”

e.g.

ssl_certificate /etc/ssl/www.phpminds.org/fullchain.pem;
ssl_certificate_key /etc/ssl/www.phpminds.org/privkey.pem;

Restart the web server, and you’re done.