acme.sh

提供: ArchWiki
2022年7月5日 (火) 13:45時点におけるKusanaginoturugi (トーク | 投稿記録)による版 (新規作成)
(差分) ← 古い版 | 最新版 (差分) | 新しい版 → (差分)
ナビゲーションに移動 検索に移動

acme.sh is an ACME client written purely in シェル script. It implements the full ACME protocol and supports, for example, IPv6 and wildcard certificates.

Installation

インストール the acme.sh package, and socat if you want to use the standalone mode.

Usage

The package does not provide man pages, but a wiki for usage. Executing acme.sh --help outputs a long list of commands and parameters.

There are three basic steps involved:

  1. Requesting a certificate to be issued.
  2. Installing the issued certificate, to make it useful.
  3. Maintaining the certificate over time.

as covered with below examples.

Issuing a new cert

You can specify any domain with the -d option.

ヒント: You might want to specify LetsEncrypt as your default CA, as acme.sh uses ZeroSSL as its default CA effective from August 1st, 2021.

The acme.sh script support different modes. Examples for modes and options to be specified are:

  • Webroot mode:
$ acme.sh --issue -d example.com -d www.example.com -d cp.example.com -d '*.example.com' -w /home/wwwroot/example.com
  • Standalone mode, by adding --standalone if no web server is running (requires socat installed):
$ acme.sh --issue --standalone -d example.com -d www.example.com -d cp.example.com
  • Nginx mode:
$ acme.sh --issue --nginx -d example.com -d www.example.com -d cp.example.com
$ acme.sh --issue -d example.com -d '*.example.com' --dns dns_he

The project's wiki lists more examples.

Install the cert to Apache/Nginx etc

Nginx:

$ acme.sh --install-cert -d example.com --key-file '/path/to/keyfile/in/nginx/example.key' --fullchain-file '/path/to/fullchain/nginx/example.cer' --reloadcmd "systemctl force-reload nginx"

Apache:

$ acme.sh --install-cert -d example.com --cert-file '/path/to/certfile/in/apache/example.cer' --key-file '/path/to/keyfile/in/apache/example.key' --fullchain-file '/path/to/fullchain/certfile/apache/example.fullchain.cer' --reloadcmd "systemctl force-reload nginx apache2"

Maintaining a cert

The certs will be renewed every 60 days. To run acme.sh regularly, a systemd timer may be set up.

See also

  • Project homepage and wiki for its documentation.
  • acme-tiny offers several related utilities, as well as additional general ACME documentation.
  • lacme is a small ACME client written with process isolation and minimal privileges in mind.