Acme.sh is a lightweight LetsEncrypt client written as a Bash script.

There is a list with the most useful commands.

Start root shell

sudo su -

Install

curl https://get.acme.sh | sh

Restart a root shell when installation will finish.

exit
sudo su -

Auth

Acme.sh now supports Cloudflare's API Tokens. You can check out the documentation here.

Below is an outdated version with Global API Key.

export CF_Key="xxx"
export CF_Email="example@gmail.com"

You can obtain a CF_Key using Cloudflare Dashboard.

Create a directory for certificates

mkdir -p /etc/nginx/ssl/example.com/

Issue a wildcard certificate

acme.sh --issue --dns dns_cf --keylength ec-256 \
-d example.com -d '*.example.com' --dnssleep 60

acme.sh --install-cert -d example.com --ecc \
--cert-file /etc/nginx/ssl/example.com/cert.pem \
--key-file /etc/nginx/ssl/example.com/key.pem \
--fullchain-file /etc/nginx/ssl/example.com/fullchain.pem \
--reloadcmd "systemctl reload nginx.service"

If dnssleep parameter is not defined, acme.sh will use DoH protocol to check availability of entries. I haven't tested that mode yet.

Revoke a certificate

acme.sh --revoke -d example.com --ecc

Links

Article published on .
Image by FLY:D from Unsplash.