The “acme.sh” is a shell script that serves as an implementation of the ACME (Automatic Certificate Management Environment) client protocol. It provides an alternative to the widely used Certbot client for automating the process of obtaining and managing TLS (Transport Layer Security) certificates from Let’s Encrypt or other ACME-compatible certificate authorities.
Here are some key points to understand about the “acme.sh” script:
- ACME Client Protocol: The ACME protocol is a standardized protocol for automating certificate management, including certificate issuance, renewal, and revocation. The “acme.sh” script implements this protocol, allowing users to interact with ACME servers to request and manage TLS certificates.
- Shell Script: “acme.sh” is written as a shell script, which means it can be executed directly from the command line on Unix-like systems, including Linux and macOS. This makes it lightweight, portable, and easy to install and use without the need for additional dependencies.
- Certificate Issuance: One of the primary functions of “acme.sh” is to automate the process of obtaining TLS certificates. It interacts with ACME servers, handles domain validation, and retrieves issued certificates. Users can request certificates for their domains without manual intervention.
- Certificate Renewal: TLS certificates have a limited validity period. The “acme.sh” script includes functionality to automatically renew certificates before they expire. It performs renewal checks and initiates the renewal process, ensuring that certificates are always up to date and valid.
- ACME-Compatible Certificate Authorities: While “acme.sh” is primarily associated with Let’s Encrypt, it supports other ACME-compatible certificate authorities as well. This means users have flexibility in choosing the certificate authority they want to work with, expanding their options beyond Let’s Encrypt.
- DNS API Integration: “acme.sh” provides integration with various DNS service providers’ APIs. This allows for the automation of DNS challenges, where DNS records need to be modified for domain ownership verification during certificate issuance. The script can programmatically add and remove DNS records, making the process seamless.
- Certificate Management: In addition to issuance and renewal, “acme.sh” includes features for managing TLS certificates. It can install certificates in web servers or other applications, configure automatic renewal, and perform operations like exporting or importing certificates.
By using the “acme.sh” script, users can automate the process of obtaining and managing TLS certificates, providing a flexible and lightweight alternative to tools like Certbot. It simplifies the interaction with ACME servers, streamlines certificate management, and enables the automation of certificate-related tasks for improved security and convenience.
acme.sh Command Examples
1. Issue a certificate using webroot mode:
# acme.sh --issue --domain example.com --webroot /path/to/webroot
2. Issue a certificate for multiple domains using standalone mode using port 80:
# acme.sh --issue --standalone --domain example.com --domain www.example.com
3. Issue a certificate using standalone TLS mode using port 443:
# acme.sh --issue --alpn --domain example.com
4. Issue a certificate using a working Nginx configuration:
# acme.sh --issue --nginx --domain example.com
5. Issue a certificate using a working Apache configuration:
# acme.sh --issue --apache --domain example.com
6. Issue a wildcard (*) certificate using an automatic DNS API mode:
# acme.sh --issue --dns dns_cf --domain *.example.com
7. Install certificate files into the specified locations (useful for automatic certificate renewal):
# acme.sh --install-cert -d example.com --key-file /path/to/example.com.key --fullchain-file /path/to/example.com.cer --reloadcmd "systemctl force-reload nginx"