Client Area

 Client Area

Install your Let’s Encrypt SSL certificate with acme.sh

acme.sh

Sections

    Install acme.sh
    wget -O -  https://get.acme.sh | sh
    source ~/.bashrc 
    

    Issue a certificate

    Method 1 : use the same folder to validate all acme challenges

    At first create a new file acme.conf in the folder /etc/nginx/common/ with the following content :

    location /.well-known/acme-challenge/ {
        alias /var/www/html/.well-known/acme-challenge/;
    }
    

    Then set www-data as owner of the folder /var/www/html :

    chown -R www-data:www-data /var/www/html
    

    The last step is to include acme.conf in your nginx vhost, by adding the following line :

    include common/acme.conf;

    Reload nginx with the command service nginx reload and you can now issue your first cert with acme.sh :

    # domain
    acme.sh  --issue  -d example.com  -w /var/www/html 
    # domain + www
    acme.sh  --issue  -d example.com  -d www.example.com -w /var/www/html 
    # SAN mode
    acme.sh  --issue  -d example.com  -d www.example.com -d dev.example.com -w /var/www/html 
    # ECDSA Certificates (384 Bits)
    acme.sh --issue -d yourdomain.tld -d www.yourdomain.tld -d blog.yourdomain.tld --keylength ec-384 -w /var/www/html

    Method 2 : use Cloudflare DNS API

    configure your api keys

    export CF_Key="sdfsdfsdfljlbjkljlkjsdfoiwje"
    export CF_Email="hi@acme.sh"
    
    # domain
    acme.sh  --issue  -d example.com  --dns dns_cf 
    # domain + www
    acme.sh  --issue  -d example.com  --dns dns_cf  -d www.example.com 
    # SAN mode
    acme.sh  --issue  -d example.com  --dns dns_cf  -d www.example.com -d dev.example.com 
    # ECDSA Certificates (384 Bits)
    acme.sh --issue -d yourdomain.tld -d www.yourdomain.tld -d blog.yourdomain.tld --keylength ec-384 --dns  dns_cf

    Install your SSL certificate in Nginx

    DO NOT use the certs files in ~/.acme.sh/ folder, they are for internal use only, the folder structure may change in the future
    Create a folder to store your certs in production

    mkdir -p /etc/nginx/acme.sh/yourdomain.tld

    Then use the command –install-cert to copy your certs with acme.sh :

    # for RSA certs
    acme.sh --install-cert -d yourdomain.tld \
    --cert-file /etc/nginx/acme.sh/yourdomain.tld/cert.pem \
    --key-file /etc/nginx/acme.sh/yourdomain.tld/key.pem \
    --fullchain-file /etc/nginx/acme.sh/yourdomain.tld/fullchain.pem \
    --reloadcmd "systemctl reload nginx.service"
    
    # for ECDSA certs
    acme.sh --install-cert -d yourdomain.tld --ecc \
    --cert-file /etc/nginx/acme.sh/yourdomain.tld/cert.pem \
    --key-file /etc/nginx/acme.sh/yourdomain.tld/key.pem \
    --fullchain-file /etc/nginx/acme.sh/yourdomain.tld/fullchain.pem \
    --reloadcmd "systemctl reload nginx.service"

    Then you just have to add the certificates in your nginx configuration.
    Create two files, the first one to add your SSL certificate with the following content :

    # /var/www/yourdomain.tld/conf/nginx/ssl.conf
    
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        ssl on;
        ssl_certificate /etc/nginx/acme.sh/yourdomain.tld/fullchain.pem;
        ssl_certificate_key     /etc/nginx/acme.sh/yourdomain.tld/key.pem;
        ssl_trusted_certificate /etc/nginx/acme.sh/yourdomain.tld/cert.pem;

    And the another one for the redirection from http to https :

    # /etc/nginx/conf.d/forcessl-yourdomain-tld.conf
    
    server {
            listen 80;
            listen [::]:80;
            server_name www.yourdomain.tld yourdomain.tld;
            return 301 https://yourdomain.tld$request_uri;
    }

    Certificates Renewal

    All the certs will be renewed automatically every 60 days. But you can also force renewal using the following commands :

    # RSA certs
    acme.sh --renew -d example.com --force
    
    # ECDSA certs
    acme.sh --renew -d example.com --force --ecc

    in EasyEngine