There are some popular methods of generating SSL and TLS certificates in Linux. One of the most popular methods of issuing SSL certificates is Let’s encrypt which is a certificate authority that offers free SSL certificates. There is an even easier way to issue the certificate which does not require any dependencies and requirements. The acme.sh script written in Shell makes it easy to generate and install SSL certificates in Linux systems. In this article, we will learn how to install the acme.sh script in the Linux system and how to use it to generate and install SSL certificates.
Installation of acme.sh is a simple and straightforward process. Follow the steps below to install the application.
Method1 : Using curl command
$ curl https://get.acme.sh | sh
Method2: Using git repository
$ git clone https://github.com/acmesh-official/acme.sh.git $ cd ./acme.sh $ ./acme.sh --install
Once the installation is completed, run the following command to verify.
$ acme.sh --version
Generate SSL Certificate
Generating SSL certificates using acme.sh is a very simple process. Follow the steps below to generate the certificate.
Generate a certificate for a single domain using webroot mode.
$ acme.sh --issue -d vitux.com -w /home/wwwroot/vitux.com
Generate a certificate for multiple domains in the same certificate
$ acme.sh --issue -d vitux.com -d www.vitux.com -d example.vitux.com -w /home/wwwroot/vitux.com
/home/wwwroot/vitux.com is the webroot folder where the website file is hosted. Remember to give write access to the webroot folder.
vitux.com is the domain name I have used to generate SSL certificates. You can select your domain name accordingly.
All the domain names should be pointed to the same webroot directory.
The generated SSL certificate will be located in the directory ~/.acme.sh/<domain-name>
Where domain-name is the directory created with your domain provided while generating the certificate.
Issue certificate using the standalone server
Use the following command to generate an SSL certificate using the standalone server.
For single domain
$ acme.sh --issue --standalone -d vitux.com
For multiple domain
$ acme.sh --issue --standalone -d vitux.com -d www.vitux.com -d example.vitux.com
Sudo or root user permission is needed to listen on TCP port 80. Port 80 must be free to listen on the server.
Generate SSL certificate using standalone SSL server
Use the following command to generate an SSL certificate using a standalone SSL server. In this example, I have used the linuxways.com domain for demonstration. Consider your own domain name while generating the certificate.
$ acme.sh --issue --alpn -d vitux.com -d www.vitux.com -d example.vitux.com
Sudo or root user permission is needed to listen on TCP port 443. Also, remember to free port 443 to be listened to, otherwise prompts will appear to free it.
Use apache mode to generate certificates
Webroot mode is recommended to generate an ssl certificate for running a web server. If apache is being used as a web server then Apache mode can be used to issue the certificate. This mode does not write any files to the webroot directory.
This mode needs to interact with Apache web server, so you need to have root/sudo privilege.
$ acme.sh --issue --apache -d vitux.com www.vitux.com
The above command will generate only the certificate file. You need to point the certificate file directory in the apache configuration file to install the certificate.
Use nginx mode to issue the certificate
Particularly, if you are using nginx as a web server then nginx mode can be used instead of webroot mode. All you need to have is root/sudo privilege since this interacts with nginx web server. This mode will not write any files in the webroot directory.
$ acme.sh --issue --nginx -d vitux.com www.vitux.com
The above command will generate the certificate only. You need to point the certificate file directory in the nginx configuration file to install.
Issue certificate for wildcard domain
Generating certificates for wildcard domains is easy. In the place of -d parament, use wildcard domain as:
$ acme.sh --issue -d vitux.com -d *.vitux.com --dns dns_cf
The –dns parameter specifies which DNS hoster you are using, dns_cf stands for cloudflare.
Renew Let’s Encrypt SSL Certificate with acme.sh
During acme.sh installation, it creates a cronjob to renew the SSL certificate every 60 days. So you don’t need to renew the certificate manually. However, you can renew the certificate with force option as:
$ acme.sh --renew -d vitux.com --force
To find the cron job, run the following command.
$ crontab -l
Log file directory
Log file of acme.sh is located at the directory ~/.acme.sh .Log file generation is not enabled by default. Make the following changes in the account.conf file.
$ cd ~/.acme.sh $ vi account.conf
Now use the following command to find the log file generated.
$ cd ~/.acme.sh $ tail -f acme.sh.log
In this article, we learned how to install acme.sh script to generate SSL certificates in Linux systems. I showed you how to generate SSL certificates for multiple domains at once and how to renew SSL certificates.