Automating SSL/TLS Certificate Deployment with acme.sh

acme.sh is an ACME protocol client designed for automated SSL/TLS certificate acquisition, renewal, and deployment. It facilitates HTTPS configuration by integrating with various Certificate Authorities (CAs), DNS providers, and web servers through a command-line interface.

Installation

Install from Source:

git clone --depth 1 https://github.com/acmesh-official/acme.sh.git
cd acme.sh
./acme.sh --install -m admin@domain.com

Replace admin@domain.com with a valid email address.

Reload Bash Shell:

source ~/.bashrc

Enable Automatic Updates:

acme.sh --upgrade --auto-upgrade

Selecting a Certificate Authority

The tool supports multiple CAs: Let’s Encrypt, Buypass, ZeroSSL, SSL.com, and Google Public CA. ZeroSSL is the default. To switch CAs, use:

acme.sh --set-default-ca --server letsencrypt  # For Let's Encrypt
acme.sh --set-default-ca --server zerossl      # For ZeroSSL

To register a ZeroSSL account with an API key:

# Obtain and use EAB credentials
acme.sh --register-account --server zerossl \
        --eab-kid <kid_value> \
        --eab-hmac-key <hmac_key_value>

Configuring DNS API Authentication

This method allows acme.sh to automatically manage DNS records for domain validation. For Alibaba Cloud DNS as an example:

  1. Create a RAM user in the Alibaba Cloudd console with API access and grent AliyunDNSFullAccess permissions.
  2. Set the API credentials as environment variables or add them to the configuration file.

Add credentials to ~/.acme.sh/account.conf:

# Alibaba Cloud DNS API
ALICLOUD_KEY="LTAIxxxxxxxxxx"
ALICLOUD_SECRET="Xp3Zxxxxxxxxxx"

Requesting Certificates

Standard DNS Validation (Wildcard Example):

acme.sh --issue --dns dns_ali -d "*.domain.com" \
        --fullchain-file /ssl/cert.pem \
        --key-file /ssl/private.key

Automated Certificate Installation:

Use --installcert to deploy certificates and reload services:

acme.sh --installcert -d domain.com \
        --key-file /nginx/ssl/key.pem \
        --fullchain-file /nginx/ssl/cert.pem \
        --reloadcmd "systemctl reload nginx"

HTTP Challenge Method

This method uses a web server to serve a challenge file.

  1. Create a directory for the challenge: 
    mkdir -p /var/www/acme-challenge
  2. Configure you're web server (Nginx example) to serve the .well-known/acme-challenge path from this directory.
  3. Issue a certificate: 
    acme.sh --issue -d domain.com -w /var/www/acme-challenge
    For an ECC certificate: 
    acme.sh --issue -d domain.com --keylength ec-256 -w /var/www/acme-challenge

Automation Scripting

Create a script to automate renewal and deployment:

#!/bin/bash
# Certificate renewal and web server reload script
CERT_DIR="/etc/nginx/ssl"
BACKUP_DIR="/etc/nginx/ssl_backup"

# Backup existing certificates
cp $CERT_DIR/* $BACKUP_DIR/ 2>/dev/null

# Renew certificate using DNS validation
~/.acme.sh/acme.sh --issue --dns dns_ali -d "*.domain.com" \
    --fullchain-file $HOME/cert_chain.pem \
    --key-file $HOME/private.key \
    --force

# Deploy new certificates
cp $HOME/cert_chain.pem $CERT_DIR/domain.crt
cp $HOME/private.key $CERT_DIR/domain.key

# Reload web server
systemctl reload nginx

Schedule with Cron:

Add a line to /etc/crontab to run the script bi-monthly:

0 0 1 */2 * /path/to/renewal_script.sh

Tags: acme.sh SSL Certificate automation Let's Encrypt DNS API

Posted on Wed, 13 May 2026 12:34:01 +0000 by jonners

Hot Tags

©2026 Freaks City