How to create Let’s Encrypt SSL certificates with acme.sh on Linux

Issuing and installing SSL certificates doesn’t have to be a challenge, especially when there are tools like acme.sh available. Jack Wallen shows you how to install and use this handy script.

istock-689019766-1.jpg

Image: Getty Images/iStockphoto

Installing SSL certificates isn’t difficult, but it’s a process every Linux administrator will have to take on at some point in their career. One of the more popular methods of getting and installing SSL certificates on Linux is by way of Let’s Encrypt, which is a certificate authority that offers free, automated SSL and TLS certificates. And Let’s Encrypt isn’t at all challenging to use.

SEE: Security incident response policy (TechRepublic Premium)

But there’s an even easier way, one that doesn’t have any dependencies or requirements. The acme.sh script is written in Shell and supports more DNS providers than other similar clients. This means you can get your SSL/TLS certificates faster and easier.

I’m going to show you how to get and use acme.sh on Linux, so you can start working with SSL without any hassle.

What you’ll need

To get working with acme.sh, you’ll need a running instance of Linux (the distribution doesn’t matter, as acme.sh should work on just about every flavor of Linux available). This will preferably be the server you want to install the SSL certificates onto (otherwise you’d wind up having to move them).

That’s it. Let’s get this up and running.

How to get acme.sh

There are several ways to get the acme.sh script installed on your Linux machine. I’ll show you how to do so using either curl or wget. The curl command is:

curl https://get.acme.sh | sh

The wget command is:

wget -O - https://get.acme.sh | sh

After you run either command, you need to source your .bashrc with:

source ~/.bashrc

To verify the installation, issue the command:

acme.sh --version

You should see the version of the installed script printed out. Finally, enable auto-upgrade of the acme.sh script with the command:

acme.sh --upgrade --auto-upgrade

How to issue an SSL certificate with acme.sh

And now we’ll issue an SSL certificate on a web server for a single domain. We’ll use the example.com domain to illustrate. The command for this is:

acme.sh --issue -d example.com --webroot /var/www/example.com

Obviously, you’ll change example.com to the domain of your server as well as change /var/www/example.com to the document root. If you have multiple domains associated with that server (such as for mail, FTP and www), you could issue the command:

acme.sh --issue -d example.com -d www.example.com -d mail.example.com -d ftp.example.com --webroot /var/www/example.com --keylength LENGTH

Where LENGTH is one of the following values for keylength:

  • 2048 (default)
  • 3072
  • 4096
  • 8192
  • ec-256
  • ec-384

You could also issue an SSL certificate in standalone mode (if you don’t have a webserver) with the command:

acme.sh --issue -d example.com --standalone

Again, replace example.com with your domain.

How to copy the certificates to the proper location in local storage

With those certificates issued, you’ll then need to install them in the proper location for your web server. Let’s say you’re using Apache as the webserver and the location for your certificates is /etc/ssl/certs. For this, you’d issue the command:

acme.sh --install-cert --domain example.com --cert-file /etc/ssl/certs/cert.pem --key-file /etc/ssl/certs/keyfile/key.pem --fullchain-file /etc/ssl/certs/fullchain/fullchain.pem --reloadcmd "sudo systemctl reload apache2.service"

Make sure to change out example.com for your domain.

How to renew your certificate

As you know, SSL certificates expire. To renew those certificates with acme.sh, you’d issue the command:

acme.sh --renew -d example.com --force

Make sure to change out example.com for your domain.

And that’s all there is to issuing and installing SSL certificates with acme.sh on Linux. You’ll probably find this tool a bit easier to use than Let’s Encrypt, plus it’s a bit more universal, so it can be installed on nearly any Linux distribution.

Also see