Internet Community Obtain a Let's Encrypt certificate for your domain using acme.sh

Let's Encrypt is a non-profit Certificate Authority (CA) run by Internet Security Research Group that provides X.509 certificates for Transport Layer Security encryption at no charge. Its goal is to make all websites secure using HTTPS.

Ish Sookun

1 min read min read

acme.sh is a Shell script that let's you request SSL certificates from different Certificate Authorities (CAs). At the moment I am writing this blog post, acme.sh supports the following CAs:

  • ZeroSSL CA (default)
  • Letsencrypt.org CA
  • BuyPass.com CA
  • SSL.com CA
  • Google.com Public CA
  • Pebble strict Mode
  • Any other RFC8555-compliant CA

ZeroSSL is the default CA.

In order to request a Let's Encrypt certificate, one can pass the --server letsencrypt directive to change the CA. The default CA can also be changed by issuing:

acme.sh --set-default-ca --server letsencrypt

Let's Encrypt has IPv6 support. However, you can pass --listen-v4 or --listen-v6 to specify whether to use IPv4 or IPv6 to listen.

acme.sh --server letsencrypt --issue --listen-v4 -d sysadmin-journal.com -w /srv/www/sysadmin-journal.com

The above command lets you request a certificate through the Let's Encrypt CA, using the webroot method. In this method, a verification file is created in the webroot path, inside the /.well-know/acme-challenge directory.

Once verification is complete, the file is removed and the certificate, the intermediary certificate and the key are deposited at /etc/letsencrypt/domain_name.

Installation

git clone https://github.com/acmesh-official/acme.sh.git
cd acme.sh

./acme.sh --install -m name@email.com

The above will create the .acme.sh directory in your home directory. Hence, the script will be available as ~./acme.sh/acme.sh. Else, you could also simply clone the project in the /opt directory and create a symlink to the script /usr/local/bin.