If you’re using a web hosting company, you may have heard of LetsEncrypt. Let’s Encrypt is a free, open-source certificate authority that helps make it easier for users to get secure HTTPS access. If you’re not using a web hosting company, and you want to get a certificate from Let’s Encrypt, there are a few steps you need to take. First, create an account on the Let’s Encrypt website. Then, find the certificate that you want to request. The certificates are organized by subject matter: security, privacy, and application areas. Next, find the right form to request the certificate. There are three main forms: online form (available on most websites), email form (available only on some websites), and phone form (available only on certain websites). The online form is easiest to use and takes just minutes to complete. The email form is more complicated but can be completed in minutes if you have an internet connection and an email address. The phone form is more difficult but can be completed in minutes if you have a phone and an internet connection. Once you’ve completed the online form or the phone form, click on the “submit” button at the bottom of each page. You’ll be taken to a confirmation page where you’ll need to enter your name and email address. You’ll also need to provide your domain name (if it’s not already provided). After clicking on “submit,” your certificate will be created and sent back to Let’s Encrypt for review. If everything goes well, your certificate will be published within 24 hours!
LetsEncrypt changed the SSL certificate world when its offer of free, short-lived, SSL certificates allowed a vast amount of individuals and companies to secure their web applications at no cost. With this service, the necessary infrastructure would need to exist, and to that end, a plethora of applications sprung up that fit the SSL-issuing needs.
One of the most common utilities is that of CertBot, which can work well, but another open-source application that is available is acme.sh. This is an entirely shell-based ACME (the protocol used by LetsEncrypt for issuing SSL certificates) client. With a lot of advanced functionality built-in, this client allows for complex configurations.
Installing Acme.sh
The easiest way to install acme.sh is the following, which downloads and executes the script from here, https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh.
The source for that site is located here, if you would like to verify what the actual script is doing
The installation will download and move the files to ~/.acme.sh, and install an alias into your ~/.bashrc file. Additionally, a cron job will be installed if available.
First Steps
A lot of how you use acme.sh depends on the method and application that you are requesting the certificate for. Acme.sh offers many different methods to actually request a certificate such as:
Webroot mode Standalone mode Standalone tls-alpn mode Apache mode Nginx mode DNS mode DNS alias mode Stateless mode
In this article, I’m going to demonstrate two different ways to request a certificate. I am including web server configurations for both NGINX and Apache, which uses the Webroot method. The DNS mode method uses a configuration file to create CNAME records that are used to verify the domain, instead of creating a file on the file system.
Web Server Configuration
NGINX LetsEncrypt Configuration
NGINX makes it easy to create a shared configuration to use when using the webroot method of requesting a certificate.
letsencrypt.conf
It is recommended to create a standalone configuration that can be included as needed in the vhost configurations, like so: include /etc/nginx/letsencrypt.conf
Apache
Much like NGINX, Apache can create a separate configuration file. An example of this configuration is shown below.
/etc/apache2/conf-available/letsencrypt.conf
In this case, the Apache configuration is specific to the virtual host due to the need to include the disk location. The following is a common location, but it may be differ depending on your specific configuration.
DNS Configuration
In this article, I am demonstrating the DNS mode using Cloudflare, as it offers extremely quick DNS changes and works exceptionally well with this method.
Acme.sh uses two environmental variables for the dns_cf method: CF_Key and CF_Email. To include this in your environment upon startup, you can include this config within your .bashrc file.
It may not be readily apparent, but there is a preceding space before each export command, which generally ensures that they won’t be read into history, just in case.
Issue Certificate via Webroot Method
When issuing the following command, two domains are defined in a single certificate. This is to make sure that when either hostname is requested (and often redirected to the canonical one), the request will still be protected by a secure connection.
Issued certificates are in /.acme.sh/acme.sh/{domain_name}
Issue Certificate via DNS Method
When using the DNS-issuing method, a temporary txt record is created via the Cloudflare API, and LetsEncrypt verifies the domain using that temporary record. This is a cleaner method, as no webroot configuration is needed.
Issued certificates are in /.acme.sh/acme.sh/{domain_name}
Renewing Certificate
By default, Acme.sh, will create a cronjob like the following entry:
To force a renewal, you can issue the following command, which will use the same issuing method as originally used:
Removing Certificates
If you no longer want to renew a certificate, it’s very easy to remove. This does not remove the certificate from the disk, though. To do that, you will need to navigate to ~/.acme.sh/ and remove the directory containing the certificates.
This does allow one to clean up the certificates that are set up for renewal, which you can check by listing the certificates like so:
Conclusion
LetsEncrypt offers an excellent and easy-to-use service for provisioning SSL certificates for use in websites. Creating a secure website is easier than ever, and using the acme.sh client means you have complete control over how this occurs on your web server.
With a number of different methods to obtain a certificate, even very secure methods, such as a delegated domain, allows one to properly retrieve the needed certificates.
