Acme.sh\u00a0is a simple, powerful and easy to use\u00a0ACME\u00a0protocol client written purely in Shell (Unix shell) language, compatible with bash, dash, and sh shells. It helps\u00a0manage installation, renewal, revocation of SSL certificates.\u00a0It supports ACME version 1 and ACME version 2 protocols, as well as ACME v2 wildcard certificates. Being a zero dependencies ACME client makes it even better. You don’t need to download and install the whole internet to\u00a0make it running. The tool does not require root or sudo access, but it’s\u00a0recommended to use root.<\/p>\n
Acme.sh supports the following validation methods that you can use to\u00a0confirm domain ownership:<\/p>\n
Let\u2019s Encrypt (LE) is a certificate authority (CA) and project that offers free and automated SSL\/TLS certificates, with the\u00a0goal\u00a0of encrypting the entire web. If you own a domain name and have shell access to your server you can\u00a0utilize\u00a0Let’s Encrypt\u00a0to obtain a trusted certificate at\u00a0no cost. Let’s Encrypt can issue SAN certs\u00a0for up to\u00a0100 hostnames\u00a0<\/strong>and wildcard certificates. All certs are\u00a0valid for the period of\u00a090 days.<\/p>\n In this section, I will show some of the most common\u00a0acme.sh commands and options.<\/p>\n You have a few options to install acme.sh.<\/p>\n Install\u00a0from web\u00a0via\u00a0 or<\/p>\n Install from GitHub<\/strong>:<\/p>\n or<\/p>\n Git clone and install:<\/strong><\/p>\n The installer will perform 3 actions:<\/p>\n Advanced installation:<\/strong><\/p>\n You don’t need to set all options, just set those ones you care about.<\/p>\n Options explained:<\/p>\n After installation is complete, you can verify\u00a0it by checking\u00a0 The\u00a0program has a lot of commands and parameters that can be used. To get help you can run:<\/p>\n If you already have a web server running, you should use\u00a0webroot mode<\/em>. You\u00a0will need write access to the web root folder.\u00a0Here are some example commands that can be used to obtain cert via webroot mode:<\/p>\n Single domain + Webroot mode:<\/p>\n Multiple domains in the same cert\u00a0+ Webroot mode:<\/p>\n Single domain ECC\/ECDSA cert + Webroot mode:<\/p>\n Multiple domains in the same ECC\/ECDSA cert\u00a0+ Webroot mode:<\/p>\n Valid values for\u00a0 If you don’t have a web server, maybe you are on a SMTP or FTP server, the 80 port is free, then you can use\u00a0standalone mode.\u00a0<\/em>If you want to use this mode, you’ll need to install socat tools first.<\/p>\n Single domain + Standalone mode:<\/p>\n Multiple domains in the same cert\u00a0+\u00a0Standalone mode:<\/p>\n If you don’t have a web server, maybe you are on a\u00a0SMTP\u00a0or FTP server, the 443\u00a0port is free. You can use standalone\u00a0TLS\u00a0ALPN mode. Acme.sh has a builtin standalone\u00a0TLS\u00a0web server, it can listen at 443 port to issue the cert.<\/p>\n Single domain + Standalone TLS ALPN mode:<\/p>\n Multiple domains in the same cert\u00a0+ Standalone TLS ALPN mode:<\/p>\n If your DNS provider has an API, acme.sh\u00a0can use the\u00a0API\u00a0to automatically add the\u00a0DNS TXT\u00a0record for you. Your cert will be automatically issued and renewed. No\u00a0manually work is required.\u00a0Before requesting the certs configure your API keys and Email. Currently acme.sh\u00a0has automatic DNS integration with\u00a0around 60 DNS providers natively and can utilize Lexicon tool for those that are not supported natively.<\/p>\n Single domain + CloudFlare DNS API mode:<\/p>\n Wildcard\u00a0cert\u00a0+ CloudFlare DNS API mode:<\/p>\n If your\u00a0DNS provider doesn’t support any\u00a0API access, you can add the\u00a0TXT record manually.<\/p>\n You should get an output like below:<\/p>\n Then just rerun with\u00a0 Keep in mind that this is DNS manual mode and you can’t auto renew your certs. You will have to add a new\u00a0TXT record to your domain by your hand when\u00a0it’s time to renew certs. So\u00a0use\u00a0DNS\u00a0API mode instead, because it can be automated.<\/p>\n After cert(s) are generated, you probably want to install\/copy\u00a0issued certificate(s) to the correct location on the disk. You\u00a0must\u00a0use this command to copy the certs to the target files,\u00a0don’t\u00a0use the certs files in\u00a0 Apache<\/strong>\u00a0example:<\/p>\n Nginx<\/strong>\u00a0example:<\/p>\n The parameters are stored in the .acme.sh configuration file, so you need to get it right for your system as this file is read when the cron job runs renewal. “reloadcmd” is dependent on your operating system and init system.<\/p>\n You don’t need to renew the certs manually. All the certs will be renewed automatically every\u00a060<\/strong>\u00a0days.<\/p>\n However, you can also force to renew a cert:<\/p>\n or, for ECC cert:<\/p>\n You can update acme.sh to the latest code with:<\/p>\n You can also enable auto upgrade:<\/p>\n Then\u00a0acme.sh\u00a0will be kept up to date automatically.<\/p>\n That’s it. If you get stuck on anything visit acme.sh wiki page at\u00a0https:\/\/github.com\/Neilpang\/acme.sh\/wiki<\/a>.<\/p>\nAcme.sh usage and basic commands<\/h2>\n
Acme.sh installation<\/h3>\n
curl<\/code>\u00a0or\u00a0wget<\/code><\/strong>:<\/p>\ncurl https:\/\/get.acme.sh | sh\r\nsource ~\/.bashrc<\/code><\/pre>\nwget -O - https:\/\/get.acme.sh | sh\r\nsource ~\/.bashrc<\/code><\/pre>\ncurl https:\/\/raw.githubusercontent.com\/Neilpang\/acme.sh\/master\/acme.sh | INSTALLONLINE=1 sh<\/code><\/pre>\nwget -O - https:\/\/raw.githubusercontent.com\/Neilpang\/acme.sh\/master\/acme.sh | INSTALLONLINE=1 sh<\/code><\/pre>\ngit clone https:\/\/github.com\/Neilpang\/acme.sh.git\r\ncd .\/acme.sh\r\n.\/acme.sh --install\r\nsource ~\/.bashrc<\/code><\/pre>\n\n
acme.sh<\/code>\u00a0to your home dir ($HOME<\/code>):\u00a0~\/.acme.sh\/<\/code>. All certs will be placed in this folder too.<\/li>\nacme.sh=~\/.acme.sh\/acme.sh<\/code>.<\/li>\ngit clone https:\/\/github.com\/Neilpang\/acme.sh.git\r\ncd acme.sh\r\n.\/acme.sh --install \\\r\n --home ~\/myacme \\\r\n --config-home ~\/myacme\/data \\\r\n --cert-home ~\/mycerts \\\r\n --accountemail \"hi@acme.sh\" \\\r\n --accountkey ~\/myaccount.key \\\r\n --accountconf ~\/myaccount.conf \\\r\n --useragent \"this is my client.\"<\/code><\/pre>\n\n
--home<\/code>\u00a0is a customized directory to install\u00a0acme.sh<\/code>\u00a0in. By default, it installs into\u00a0~\/.acme.sh.<\/code><\/li>\n--config-home<\/code>\u00a0is a writable folder, acme.sh will write all the files(including cert\/keys, configs) there. By default, it’s in\u00a0--home.<\/code><\/li>\n--cert-home<\/code>\u00a0is a customized dir to save the certs you issue. By default, it’s saved in\u00a0--config-home<\/code>.<\/li>\n--accountemail<\/code>\u00a0is the email used to register account to Let’s Encrypt, you will receive renewal notice email here. Default is empty.<\/li>\n--accountkey<\/code>\u00a0is the file saving your account private key. By default it’s saved in\u00a0--config-home<\/code>.<\/li>\n--useragent<\/code>\u00a0is the user-agent header value used to send to Let’s Encrypt.<\/li>\n<\/ul>\nacme.sh<\/code>\u00a0version:<\/p>\nacme.sh --version\r\n# v2.8.1<\/code><\/pre>\nacme.sh --help<\/code><\/pre>\nIssue an SSL cert<\/h3>\n
acme.sh --issue -d example.com --webroot \/var\/www\/example.com\r\n<\/code><\/pre>\nacme.sh --issue -d example.com -d www.example.com -d mail.example.com --webroot \/var\/www\/example.com<\/code><\/pre>\nacme.sh --issue -d example.com --webroot \/var\/www\/example.com --keylength ec-256<\/code><\/pre>\nacme.sh --issue -d example.com -d www.example.com -d mail.example.com --webroot \/var\/www\/example.com --keylength ec-256<\/code><\/pre>\n--keylength<\/code>\u00a0are: 2048 (default), 3072, 4096, 8192 or ec-256, ec-384.<\/p>\nacme.sh --issue -d example.com --standalone\r\n<\/code><\/pre>\nacme.sh --issue -d example.com -d www.example.com -d mail.example.com --standalone\r\n<\/code><\/pre>\nacme.sh --issue -d example.com --alpn<\/code><\/pre>\nacme.sh --issue -d example.com -d www.example.com --alpn<\/code><\/pre>\nAutomatic DNS API integration<\/h3>\n
export CF_Key=\"sdfsdfsdfljlbjkljlkjsdfoiwje\"\r\nexport CF_Email=\"xxxx@sss.com\"\r\nacme.sh --issue -d example.com --dns dns_cf\r\n<\/code><\/pre>\nexport CF_Key=\"sdfsdfsdfljlbjkljlkjsdfoiwje\"\r\nexport CF_Email=\"xxxx@sss.com\"\r\nacme.sh --issue -d example.com -d '*.example.com' --dns dns_cf<\/code><\/pre>\nacme.sh --issue --dns -d example.com -d www.example.com -d cp.example.com\r\n<\/code><\/pre>\nAdd the following txt record:\r\nDomain:_acme-challenge.example.com\r\nTxt value:9ihDbjYfTExAYeDs4DBUeuTo18KBzwvTEjUnSwd32-c\r\n\r\nAdd the following txt record:\r\nDomain:_acme-challenge.www.example.com\r\nTxt value:9ihDbjxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\r\n\r\nPlease add those txt records to the domains. Waiting for<\/span> the dns to take effect.<\/pre>\nrenew<\/code>\u00a0argument:<\/p>\nacme.sh --renew -d example.com<\/code><\/pre>\nInstall Let’s encrypt SSL cert<\/h3>\n
~\/.acme.sh\/<\/code>\u00a0folder, they are for internal use only, the folder structure may change in the future. Before installation,\u00a0create a sensible directory to store your certificates. That can be\u00a0\/etc\/letsencrypt<\/code>,\u00a0\/etc\/nginx\/ssl\u00a0<\/code>or\u00a0\/etc\/apache2\/ssl<\/code>\u00a0for example, depending on your web server software and your own preferences to store SSL related stuff.<\/p>\nacme.sh --install-cert \\\r\n --domain example.com \\ \r\n --cert-file \/path\/to\/cert\/cert.pem \\\r\n --key-file \/path\/to\/keyfile\/key.pem \\\r\n --fullchain-file \/path\/to\/fullchain\/fullchain.pem \\\r\n --reloadcmd \"sudo systemctl reload apache2.service\"<\/code><\/pre>\nacme.sh --install-cert \\\r\n --domain example.com \\ \r\n --cert-file \/path\/to\/cert\/cert.pem \\\r\n --key-file \/path\/to\/keyfile\/key.pem \\\r\n --fullchain-file \/path\/to\/fullchain\/fullchain.pem \\\r\n --reloadcmd \"sudo systemctl reload nginx.service\"<\/code><\/pre>\nRenew the Let’s Encrypt SSL certs<\/h3>\n
acme.sh --renew -d example.com --force<\/code><\/pre>\n<\/div>\nacme.sh --renew -d example.com --force --ecc<\/code><\/pre>\nHow to upgrade acme.sh<\/h3>\n
acme.sh --upgrade<\/code><\/pre>\nacme.sh --upgrade --auto-upgrade<\/code><\/pre>\nLinks<\/h2>\n
\n