Title: Automating SSL Certificate Issuance with Acme.sh on Ubuntu Server
Introduction: This tutorial will guide you through the process of automating SSL certificate issuance on an Ubuntu server using Acme.sh. SSL certificates are essential for securing websites and services, and automating their issuance can save time and effort. Acme.sh is a shell-based tool that offers better performance and supports multiple DNS provider APIs, making it an excellent choice for automating SSL certificates.
Prerequisites:
- Ubuntu Server
- Domain name
- DNS API token
Example Terminology:
- Email: mail@example.com
Step 1 - Installing Acme.sh:
-
Log in to your Ubuntu server.
-
Open a terminal window.
-
Clone the Acme.sh repository from GitHub:
git clone https://github.com/acmesh-official/acme.sh.git
-
Navigate to the Acme.sh directory:
cd ~/acme.sh
-
Install Acme.sh with your email address:
./acme.sh --install -m mail@example.com
Replace
mail@example.com
with your actual email address. -
Note down the installation path displayed after the installation is complete.
Step 2 - Modifying Automated DNS:
-
Acme.sh supports various DNS providers. You can find the available DNS API options in the Acme.sh repository's
dnsapi
directory:cd ~/acme.sh/dnsapi
-
If you are unsure which DNS provider to use, refer to the Acme.sh wiki for guidance.
-
For this tutorial, we will use Hetzner DNS. Note that the API keys provided by different DNS providers may vary. Choose the provider that best suits your needs.
-
Obtain the API key for your DNS provider from their respective console. In the case of Hetzner DNS, you can find your API key in the Hetzner DNS Console.
-
Find the corresponding script for your DNS provider within the
dnsapi
directory. For Hetzner, the script is nameddns_hetzner.sh
. -
You can add the API token by either editing the script manually:
nano ~/acme.sh/dnsapi/dns_hetzner.sh
Or by using the export command:
export YOUR_Token="<token>"
Replace
YOUR
_Token
with the variable used in the script for your DNS provider and<token>
with your actual API token. -
You can view the saved API token by running:
cat ~/.acme.sh/account.conf
Step 3 - Issuing Certificates:
-
By default, Acme.sh uses ZeroSSL as the Certificate Authority (CA). If you require a specific CA, such as BuyPass.com CA, check the official Acme.sh repository on GitHub for more options.
-
Starting from Acme.sh v3.0.6, the default key algorithm is
ec-256
, notRSA2048
. If your CA only supportsRSA4096
and below, you can specify the key length as-k 2048
at the end of the command to issue a free certificate. -
To issue the SSL certificate, run the following command:
cd ~/acme.sh ./acme.sh --issue --dns dns_hetzner -d example.com -d *.example.com
This command performs automatic DNS verification. Replace
example.com
with your domain name and adjust the-d
flags as needed. -
Once the verification is successful, you can find the SSL certificates in the designated location. Open the certificate files with a text editor to view the details.
Conclusion: In this tutorial, you have learned how to automate SSL certificate issuance using Acme.sh on an Ubuntu server. By following these instructions, you can easily secure your websites and services with SSL certificates, saving time and enhancing security.