Automating SSL Certificate Issuance with Acme.sh on Server Via DNS

Title: Automating SSL Certificate Issuance with Acme.sh on Ubuntu Server

Introduction: This tutorial will guide you through the process of automating SSL certificate issuance on an Ubuntu server using Acme.sh. SSL certificates are essential for securing websites and services, and automating their issuance can save time and effort. Acme.sh is a shell-based tool that offers better performance and supports multiple DNS provider APIs, making it an excellent choice for automating SSL certificates.

Prerequisites:

• Ubuntu Server
• Domain name
• DNS API token

Example Terminology:

• Email: mail@example.com

Step 1 - Installing Acme.sh:

1. Log in to your Ubuntu server.

2. Open a terminal window.

3. Clone the Acme.sh repository from GitHub:

   git clone https://github.com/acmesh-official/acme.sh.git

4. Navigate to the Acme.sh directory:

   cd ~/acme.sh

5. Install Acme.sh with your email address:

   ./acme.sh --install -m mail@example.com

   Replace mail@example.com with your actual email address.

6. Note down the installation path displayed after the installation is complete.

Step 2 - Modifying Automated DNS:

1. Acme.sh supports various DNS providers. You can find the available DNS API options in the Acme.sh repository's dnsapi directory:

   cd ~/acme.sh/dnsapi

2. If you are unsure which DNS provider to use, refer to the Acme.sh wiki for guidance.

3. For this tutorial, we will use Hetzner DNS. Note that the API keys provided by different DNS providers may vary. Choose the provider that best suits your needs.

4. Obtain the API key for your DNS provider from their respective console. In the case of Hetzner DNS, you can find your API key in the Hetzner DNS Console.

5. Find the corresponding script for your DNS provider within the dnsapi directory. For Hetzner, the script is named dns_hetzner.sh.

6. You can add the API token by either editing the script manually:

   nano ~/acme.sh/dnsapi/dns_hetzner.sh

   Or by using the export command:

   export YOUR_Token="<token>"

   Replace YOUR_Token with the variable used in the script for your DNS provider and <token> with your actual API token.

7. You can view the saved API token by running:

   cat ~/.acme.sh/account.conf

Step 3 - Issuing Certificates:

1. By default, Acme.sh uses ZeroSSL as the Certificate Authority (CA). If you require a specific CA, such as BuyPass.com CA, check the official Acme.sh repository on GitHub for more options.

2. Starting from Acme.sh v3.0.6, the default key algorithm is ec-256, not RSA2048. If your CA only supports RSA4096 and below, you can specify the key length as -k 2048 at the end of the command to issue a free certificate.

3. To issue the SSL certificate, run the following command:

   cd ~/acme.sh ./acme.sh --issue --dns dns_hetzner -d example.com -d *.example.com

   This command performs automatic DNS verification. Replace example.com with your domain name and adjust the -d flags as needed.

4. Once the verification is successful, you can find the SSL certificates in the designated location. Open the certificate files with a text editor to view the details.

Conclusion: In this tutorial, you have learned how to automate SSL certificate issuance using Acme.sh on an Ubuntu server. By following these instructions, you can easily secure your websites and services with SSL certificates, saving time and enhancing security.