Secure a Website or Domain with Let's Encrypt and acme.sh
Traducciones al EspañolEstamos traduciendo nuestros guías y tutoriales al Español. Es posible que usted esté viendo una traducción generada automáticamente. Estamos trabajando con traductores profesionales para verificar las traducciones de nuestro sitio web. Este proyecto es un trabajo en curso.
acme.sh is a client application for ACME-compatible services, like those used by Let’s Encrypt. It is an alternative to the popular Certbot application with two big benefits:
It is written in the Shell language, so it has no dependencies
acme.sh supports more DNS providers than other similar clients.
If you use Linode for your website’s DNS, you can use acme.sh to obtain both single and wildcard SSL certificates. You can use Linode DNS as the domain ownership verification.
Before You Begin
Deploy a Linode by following the Getting Started and the Securing Your Server guides.
Decide which system user you want to issue and renew your certificates and connect to your Linode as this user via SSH. If you want to automatically restart a web server, or write certificates to a restricted folder, you likely want to install acme.sh under root.
Install acme.sh
If you have not already done so, connect to your Linode and request the acme.sh installer:
curl https://get.acme.sh | sh
Or, if curl is not available on your system use
wget
:wget -O - https://get.acme.sh | sh
You should see a similar output:
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 775 0 775 0 0 1283 0 --:--:-- --:--:-- --:--:-- 1280 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 193k 100 193k 0 0 1729k 0 --:--:-- --:--:-- --:--:-- 1729k [Thu 30 Jul 2020 07:48:58 AM UTC] Installing from online archive. [Thu 30 Jul 2020 07:48:58 AM UTC] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz [Thu 30 Jul 2020 07:48:58 AM UTC] Extracting master.tar.gz [Thu 30 Jul 2020 07:48:58 AM UTC] It is recommended to install socat first. [Thu 30 Jul 2020 07:48:58 AM UTC] We use socat for standalone server if you use standalone mode. [Thu 30 Jul 2020 07:48:58 AM UTC] If you don't use standalone mode, just ignore this warning. [Thu 30 Jul 2020 07:48:58 AM UTC] Installing to /root/.acme.sh [Thu 30 Jul 2020 07:48:58 AM UTC] Installed to /root/.acme.sh/acme.sh [Thu 30 Jul 2020 07:48:58 AM UTC] Installing alias to '/root/.bashrc' [Thu 30 Jul 2020 07:48:58 AM UTC] OK, Close and reopen your terminal to start using acme.sh [Thu 30 Jul 2020 07:48:58 AM UTC] Installing cron job no crontab for root no crontab for root [Thu 30 Jul 2020 07:48:58 AM UTC] Good, bash is found, so change the shebang to use bash as preferred. [Thu 30 Jul 2020 07:48:59 AM UTC] OK [Thu 30 Jul 2020 07:48:59 AM UTC] Install success!
log out and back in to your Linode as suggested by the output.
Issue the following command to ensure that you have access to acme.sh:
acme.sh version
You should see the version acme.sh version returned in the output:
https://github.com/acmesh-official/acme.sh v2.8.7
Create an API token
acme.sh can use the Linode v4 API to create and remove temporary DNS records for a Domain. Follow the steps Get An API Access Token product documentation to create a Linode API v4 token.
NoteEnsure the token you create has Read/Write access to Domains.
Issue a certificate
Connect to your Linode and set an environment variable for the API token you obtained in the previous section. Replace
your-api-token-here
with your own token.export LINODE_V4_API_KEY="your-api-token-here"
Issue the certificate. Replace any instance of
example.com
with the domain you for which you want to issue a certificate.acme.sh --issue --dns dns_linode_v4 --dnssleep 90 -d example.com -d *.example.com
Note
The above command issues a wildcard certificate for
example.com
, which coversexample.com
and any subdomains under it.If you only need to secure
www.example.com
, you can issue the example command. This command covers the non-www (example.com
) and www version of the domain (www.example.com
). Replaceexample.com
with your own domain.acme.sh --issue --dns dns_linode_v4 --dnssleep 90 -d example.com -d www.example.com
acme.sh creates two temporary DNS records on your domain using the Linode API. Wait approximately 90 seconds for the records to be pushed to Linode’s nameservers.
You should see a similar output:
[Thu 30 Jul 2020 12:21:13 PM UTC] Multi domain='DNS:example.com,DNS:*.example.com' [Thu 30 Jul 2020 12:21:13 PM UTC] Getting domain auth token for each domain [Thu 30 Jul 2020 12:21:16 PM UTC] Getting webroot for domain='example.com' [Thu 30 Jul 2020 12:21:16 PM UTC] Getting webroot for domain='*.example.com' [Thu 30 Jul 2020 12:21:16 PM UTC] Adding txt value: MxeTNC7H4t0zCKF0VKW0J5v2kOTK9knc1a9tAtHrvcw for domain: _acme-challenge.example.com [Thu 30 Jul 2020 12:21:16 PM UTC] Using Linode [Thu 30 Jul 2020 12:21:17 PM UTC] Domain resource successfully added. [Thu 30 Jul 2020 12:21:17 PM UTC] The txt record is added: Success. [Thu 30 Jul 2020 12:21:17 PM UTC] Adding txt value: kya3jvonWoGlaNJbzz42oA0e_-hhwocyZFOsWtqUTCI for domain: _acme-challenge.example.com [Thu 30 Jul 2020 12:21:17 PM UTC] Using Linode [Thu 30 Jul 2020 12:21:18 PM UTC] Domain resource successfully added. [Thu 30 Jul 2020 12:21:18 PM UTC] The txt record is added: Success. [Thu 30 Jul 2020 12:21:18 PM UTC] Sleep 90 seconds for the txt records to take effect
After 90 seconds, acme.sh instructs Let’s Encrypt to verify the domain and issue the certificate. If all went well, the output returns the location to your certificate files:
[Thu 30 Jul 2020 12:23:07 PM UTC] Your cert is in /root/.acme.sh/example.com/example.com.cer [Thu 30 Jul 2020 12:23:07 PM UTC] Your cert key is in /root/.acme.sh/example.com/example.com.key [Thu 30 Jul 2020 12:23:07 PM UTC] The intermediate CA cert is in /root/.acme.sh/example.com/ca.cer [Thu 30 Jul 2020 12:23:07 PM UTC] And the full chain certs is there: /root/.acme.sh/example.com/fullchain.cer
Configure your web server
You can now use the certificate files listed above to secure your website. The required steps may vary depending on your web server. Follow the section for the web server you are using.
Apache
Copy and paste the contents of the example file to your site’s Apache virtual hosts configuration file. Replace
example.com
with your own site’s domain.- File: /etc/apache2/sites-available/example.conf
1 2 3 4 5 6
<VirtualHost *:443> SSLEngine on SSLCertificateFile /root/.acme.sh/example.com/fullchain.cer SSLCertificateKeyFile /root/.acme.sh/example.com/example.com.key ... </VirtualHost>
Enable SSL for Apache:
a2enmod ssl
Reload Apache for your configuration file updates to take effect:
On Debian-based distributions run the following command:
systemctl reload apache2
On CentOS and other Red Hat-based distributions run the following command:
systemctl reload httpd
NGINX
Copy and paste the contents of the example file to your site’s NGINX configuration file. Replace
example.com
with your own site’s domain.- File: /etc/nginx/sites-available/example.com
1 2 3 4 5 6 7 8
server { listen 443 ssl; ssl_certificate /root/.acme.sh/example.com/fullchain.cer; ssl_certificate_key /root/.acme.sh/example.com/example.com.key; ... }
Reload NGINX for your configuration file updates to take effect. On systemd-based distributions run the following command:
systemctl reload nginx
Renewing the Certificate
Like the official Let’s Encrypt client (Certbot), acme.sh automatically renews your certificates. When you install the acme.sh software, the installer also creates a cron job. This cron job runs automatically at a random time each day.
View the cron job created by the acme.sh installer:
crontab -l
You should see a similar output:
58 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
This job checks for certificates coming up for expiry and renews them. You can instruct acme.sh to automatically install the certificates to a location readable by your web server and to also reload the web server after renewal. This completely automates the certificate renewal process.
Certificate Renewal Options
The following options are available when you issue a certificate:
Option | Purpose |
---|---|
--cert-file | Location to save the new certificate file. |
--key-file | Location to save the private key file. |
--fullchain-file | Location to save the file containing the full chain of certificates. |
--reloadcmd | Command to run after a certificate has been renewed. |
For example, to store your certificates in /etc/ssl/example.com
and restart Apache after a renewal issue the example command. Replace example.com
with your own domain.
acme.sh --issue --dns dns_linode_v4 --dnssleep 90 -d example.com -d www.example.com \
--cert-file /etc/ssl/example.com/example.com.cer \
--key-file /etc/ssl/example.com/example.com.key \
--fullchain-file /etc/ssl/example.com/fullchain-example.com.cer \
--reloadcmd "systemctl restart apache2"
NoteThe target directory must exist first. To create it run the following command:
mkdir -p /etc/ssl/example.com
NoteThe example command uses certificate file system locations (/etc/ssl/
) that are different from the examples in the Configure your Web Server section (which used the/root/.acme.sh/
folder). If you want to copy this exact example command, make sure that your web server configurations use the correct locations.
After issuing the command, you should see a similar output:
[Thu 30 Jul 2020 12:42:06 PM UTC] Installing cert to:/etc/ssl/example.com/example.com.cer
[Thu 30 Jul 2020 12:42:06 PM UTC] Installing key to:/etc/ssl/example.com/example.com.key
[Thu 30 Jul 2020 12:42:06 PM UTC] Installing full chain to:/etc/ssl/example.com/fullchain-example.com.cer
[Thu 30 Jul 2020 12:42:06 PM UTC] Run reload cmd: systemctl restart apache2
More Information
You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.
This page was originally published on