In a previous tutorial, we described how to obtain a free SSL/TLS certificate from Let’s Encrypt by using Certbot.
In this tutorial, we would like to show you another way that you can easily obtain and renew a free SSL/TLS certificate from Let’s Encrypt by using the acme.sh script on Ubuntu 20.04.
If you do not yet have a working NGINX web server, here is an easy NGINX installation guide that you can follow.
The acme.sh shell script automates the issuance and renewal of free certificates from Let’s Encrypt. You can get the acme.sh script either by downloading it directly from the web or by cloning its git project.
Download acme.sh from the web
Run any of the two commands below to download and execute the acme.sh script.
$ curl https://get.acme.sh | sh
$ wget -O - https://get.acme.sh | sh
Below is an example of what you can expect when the script executes.
$ wget -O - https://get.acme.sh | sh --2021-02-16 11:55:47-- https://get.acme.sh/ Resolving get.acme.sh (get.acme.sh)… 2606:4700:3032::6815:223e, 2606:4700:3031::ac43:c710, 220.127.116.11, … Connecting to get.acme.sh (get.acme.sh)|2606:4700:3032::6815:223e|:443… connected. HTTP request sent, awaiting response… 200 OK Length: unspecified [text/html] Saving to: ‘STDOUT’ [ <=> ] 937 --.-KB/s in 0s 2021-02-16 11:55:47 (11.8 MB/s) - written to stdout  % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 204k 100 204k 0 0 3350k 0 --:--:-- --:--:-- --:--:-- 3350k [Tue 16 Feb 2021 11:55:47 AM UTC] Installing from online archive. [Tue 16 Feb 2021 11:55:47 AM UTC] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz [Tue 16 Feb 2021 11:55:47 AM UTC] Extracting master.tar.gz [Tue 16 Feb 2021 11:55:47 AM UTC] It is recommended to install socat first. [Tue 16 Feb 2021 11:55:47 AM UTC] We use socat for standalone server if you use standalone mode. [Tue 16 Feb 2021 11:55:47 AM UTC] If you don't use standalone mode, just ignore this warning. [Tue 16 Feb 2021 11:55:47 AM UTC] Installing to /home/shola/.acme.sh [Tue 16 Feb 2021 11:55:47 AM UTC] Installed to /home/shola/.acme.sh/acme.sh [Tue 16 Feb 2021 12:05:54 PM UTC] Installing alias to '/home/shola/.bashrc' [Tue 16 Feb 2021 12:05:54 PM UTC] OK, Close and reopen your terminal to start using acme.sh [Tue 16 Feb 2021 11:55:47 AM UTC] Installing cron job 47 0 * * * "/home/shola/.acme.sh"/acme.sh --cron --home "/home/shola/.acme.sh" > /dev/null [Tue 16 Feb 2021 11:55:47 AM UTC] Good, bash is found, so change the shebang to use bash as preferred. [Tue 16 Feb 2021 11:55:48 AM UTC] OK [Tue 16 Feb 2021 11:55:48 AM UTC] Install success!
Clone acme.sh git project
Alternatively, run the commands below one per line, to clone the acme.sh git project and execute the script.
$ git clone https://github.com/acmesh-official/acme.sh.git $ cd acme.sh $ ./acme.sh --install
Whichever method you choose to use, once you see the “Install success!” message, you may close the terminal window and open it again to validate the installation.
To see acme.sh usage information, run the next command.
$ acme.sh -h
You may also run the command below to check the acme.sh version.
$ acme.sh --version
Generate a Certificate
To generate a single certificate for a single domain, run the command below.
Replace yourdomain.com with your registered domain. Also, replace /var/www/yourdomain.com with your domain’s website root folder as appropriate.
$ acme.sh --issue -d yourdomain.com -w /var/www/yourdomain.com
For multiple domains/sub-domains that share the same website root folder, you can run the next command to issue a certificate.
$ acme.sh --issue -d yourdomain.com -d www.yourdomain.com -d test.yourdomain.com -w /var/www/yourdomain.com
Install Certificate on NGINX using acme
After generating the certificate, run the next command to install it on NGINX.
$ acme.sh --install-cert -d yourdomain.com --key-file /path/to/keyfile/in/nginx/key.pem --fullchain-file /path/to/fullchain/nginx/cert.pem --reloadcmd "service nginx force-reload"
All parameters are optional except for the domain. You would need to replace yourdomain.com with your registered domain.
The certificates will be stored in ~/.acme.sh/yourdomain.com and will automatically renew every 60 days.
But you could also manually renew the certificate if you would like to. Run the command below.
$ acme.sh --renew -d yourdomain.com --force
To stop certificate renewal, run the following.
$ acme.sh --remove -d yourdomain.com
It is recommended to always use the latest version of acme.sh. Run the command below to ensure that acme.sh is updated automatically.
$ acme.sh --upgrade --auto-upgrade
To disable automatic upgrade for acme.sh, run the next command.
$ acme.sh --upgrade --auto-upgrade 0
If you would not like acme.sh to be automatically upgraded, then use the command below to manually update it.
$ acme.sh --upgrade
In this guide, we described the steps to obtain and renew free SSL/TLS certificates from Let’s Encrypt by using the acme.sh shell script on Ubuntu. This method is an alternative to using the Certbot tool. We would like to hear about your experience using these tools.
#Setup #Nginx #Lets #Encrypt #ACME #Ubuntu