There are some popular methods of generating SSL and TLS certificates in Linux. One of the most popular methods of issuing SSL certificates is Let’s encrypt which is a certificate authority that offers free SSL certificates. There is an even easier way to issue the certificate which does not require any dependencies and requirements. The acme.sh script written in Shell makes it easy to generate and install SSL certificates in Linux systems. In this article, we will learn how to install the acme.sh script in the Linux system and how to use it to generate and install SSL certificates.

acme.sh Installation

Installation of acme.sh is a simple and straightforward process. Follow the steps below to install the application.

Method1 : Using curl command

$ curl https://get.acme.sh | sh

Method2: Using git repository

$ git clone https://github.com/acmesh-official/acme.sh.git
$ cd ./acme.sh
$ ./acme.sh --install

Once the installation is completed, run the following command to verify.

$ acme.sh --version

Output:

Generate SSL Certificate

Generating SSL certificates using acme.sh is a very simple process. Follow the steps below to generate the certificate.

Generate a certificate for a single domain using webroot mode.

$ acme.sh --issue -d vitux.com -w /home/wwwroot/vitux.com

Generate a certificate for multiple domains in the same certificate

$ acme.sh --issue -d vitux.com -d www.vitux.com -d example.vitux.com -w /home/wwwroot/vitux.com

Where,

/home/wwwroot/vitux.com is the webroot folder where the website file is hosted. Remember to give write access to the webroot folder.

vitux.com is the domain name I have used to generate SSL certificates. You can select your domain name accordingly.

All the domain names should be pointed to the same webroot directory.

The generated SSL certificate will be located in the directory ~/.acme.sh/<domain-name>

Where domain-name is the directory created with your domain provided while generating the certificate.

Issue certificate using the standalone server

Use the following command to generate an SSL certificate using the standalone server.

For single domain

$ acme.sh --issue --standalone -d vitux.com

For multiple domain

$ acme.sh --issue --standalone -d vitux.com -d www.vitux.com -d example.vitux.com

Sudo or root user permission is needed to listen on TCP port 80. Port 80 must be free to listen on the server.

Generate SSL certificate using standalone SSL server

Use the following command to generate an SSL certificate using a standalone SSL server. In this example, I have used the linuxways.com domain for demonstration. Consider your own domain name while generating the certificate.

$ acme.sh --issue --alpn -d vitux.com -d www.vitux.com -d example.vitux.com

Sudo or root user permission is needed to listen on TCP port 443. Also, remember to free port 443 to be listened to, otherwise prompts will appear to free it.

Use apache mode to generate certificates

Webroot mode is recommended to generate an ssl certificate for running a web server. If apache is being used as a web server then Apache mode can be used to issue the certificate. This mode does not write any files to the webroot directory.

This mode needs to interact with Apache web server, so you need to have root/sudo privilege.

$ acme.sh --issue --apache -d vitux.com www.vitux.com

The above command will generate only the certificate file. You need to point the certificate file directory in the apache configuration file to install the certificate.

Use nginx mode to issue the certificate

Particularly, if you are using nginx as a web server then nginx mode can be used instead of webroot mode. All you need to have is root/sudo privilege since this interacts with nginx web server. This mode will not write any files in the webroot directory.

$ acme.sh --issue --nginx -d vitux.com www.vitux.com

The above command will generate the certificate only. You need to point the certificate file directory in the nginx configuration file to install.

Issue certificate for wildcard domain

Generating certificates for wildcard domains is easy. In the place of -d parament, use wildcard domain as:

$ acme.sh --issue -d vitux.com -d *.vitux.com --dns dns_cf

The –dns parameter specifies which DNS hoster you are using, dns_cf stands for cloudflare.

Renew Let’s Encrypt SSL Certificate with acme.sh

During acme.sh installation, it creates a cronjob to renew the SSL certificate every 60 days. So you don’t need to renew the certificate manually. However, you can renew the certificate with force option as:

$ acme.sh --renew -d vitux.com --force

To find the cron job, run the following command.

$ crontab -l

acme.sh cronjob

 

Log file directory

Log file of acme.sh is located at the directory ~/.acme.sh .Log file generation is not enabled by default. Make the following changes in the account.conf file.

$ cd ~/.acme.sh
$ vi account.conf

acme.sh log

Now use the following command to find the log file generated.

$ cd ~/.acme.sh
$ tail -f acme.sh.log

Conclusion

In this article, we learned how to install acme.sh script to generate SSL certificates in Linux systems. I showed you how to generate SSL certificates for multiple domains at once and how to renew SSL certificates.

How to Install and Use acme.sh script to get free SSL Certificates on Linux

Karim Buzdar

About the Author: Karim Buzdar holds a degree in telecommunication engineering and holds several sysadmin certifications. As an IT engineer and technical author, he writes for various web sites. You can reach Karim on LinkedIn