]>
Commit | Line | Data |
---|---|---|
d9f9477a | 1 | # An ACME Shell script: acme.sh |
e66337a1 | 2 | |
20082ec9 | 3 | [![FreeBSD](https://github.com/acmesh-official/acme.sh/actions/workflows/FreeBSD.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/FreeBSD.yml) |
87b110bb | 4 | [![OpenBSD](https://github.com/acmesh-official/acme.sh/actions/workflows/OpenBSD.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/OpenBSD.yml) |
093cfcdf | 5 | [![NetBSD](https://github.com/acmesh-official/acme.sh/actions/workflows/NetBSD.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/NetBSD.yml) |
20082ec9 | 6 | [![MacOS](https://github.com/acmesh-official/acme.sh/actions/workflows/MacOS.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/MacOS.yml) |
7 | [![Ubuntu](https://github.com/acmesh-official/acme.sh/actions/workflows/Ubuntu.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Ubuntu.yml) | |
8 | [![Windows](https://github.com/acmesh-official/acme.sh/actions/workflows/Windows.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Windows.yml) | |
9 | [![Solaris](https://github.com/acmesh-official/acme.sh/actions/workflows/Solaris.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Solaris.yml) | |
2d144a8b | 10 | [![DragonFlyBSD](https://github.com/acmesh-official/acme.sh/actions/workflows/DragonFlyBSD.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/DragonFlyBSD.yml) |
11 | ||
c7285967 | 12 | |
c2214cd4 | 13 | ![Shellcheck](https://github.com/acmesh-official/acme.sh/workflows/Shellcheck/badge.svg) |
14 | ![PebbleStrict](https://github.com/acmesh-official/acme.sh/workflows/PebbleStrict/badge.svg) | |
15 | ![DockerHub](https://github.com/acmesh-official/acme.sh/workflows/Build%20DockerHub/badge.svg) | |
966c7449 | 16 | |
319d49dd | 17 | |
72235a5f | 18 | <a href="https://opencollective.com/acmesh" alt="Financial Contributors on Open Collective"><img src="https://opencollective.com/acmesh/all/badge.svg?label=financial+contributors" /></a> |
19 | [![Join the chat at https://gitter.im/acme-sh/Lobby](https://badges.gitter.im/acme-sh/Lobby.svg)](https://gitter.im/acme-sh/Lobby?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge) | |
1f5cafc2 | 20 | [![Docker stars](https://img.shields.io/docker/stars/neilpang/acme.sh.svg)](https://hub.docker.com/r/neilpang/acme.sh "Click to view the image on Docker Hub") |
21 | [![Docker pulls](https://img.shields.io/docker/pulls/neilpang/acme.sh.svg)](https://hub.docker.com/r/neilpang/acme.sh "Click to view the image on Docker Hub") | |
966c7449 | 22 | |
236e8cc9 | 23 | |
5c295254 | 24 | |
99dc89c0 | 25 | - An ACME protocol client written purely in Shell (Unix shell) language. |
1bb90298 | 26 | - Full ACME protocol implementation. |
ac999339 | 27 | - Support ECDSA certs |
28 | - Support SAN and wildcard certs | |
1bb90298 AL |
29 | - Simple, powerful and very easy to use. You only need 3 minutes to learn it. |
30 | - Bash, dash and sh compatible. | |
ac999339 | 31 | - Purely written in Shell with no dependencies on python. |
1bb90298 | 32 | - Just one script to issue, renew and install your certificates automatically. |
1f60d2bb | 33 | - DOES NOT require `root/sudoer` access. |
ac999339 | 34 | - Docker ready |
35 | - IPv6 ready | |
5d468f7c | 36 | - Cron job notifications for renewal or error etc. |
6c0ab5d2 | 37 | |
ac999339 | 38 | It's probably the `easiest & smartest` shell script to automatically issue & renew the free certificates. |
6c0ab5d2 | 39 | |
d795fac3 | 40 | Wiki: https://github.com/acmesh-official/acme.sh/wiki |
de9fd54e | 41 | |
d795fac3 | 42 | For Docker Fans: [acme.sh :two_hearts: Docker ](https://github.com/acmesh-official/acme.sh/wiki/Run-acme.sh-in-docker) |
1bb90298 | 43 | |
08998032 | 44 | Twitter: [@neilpangxa](https://twitter.com/neilpangxa) |
45 | ||
46 | ||
d795fac3 | 47 | # [中文说明](https://github.com/acmesh-official/acme.sh/wiki/%E8%AF%B4%E6%98%8E) |
fe04faf6 | 48 | |
bae50da7 | 49 | # Who: |
6f1c72f5 | 50 | - [FreeBSD.org](https://blog.crashed.org/letsencrypt-in-freebsd-org/) |
51 | - [ruby-china.org](https://ruby-china.org/topics/31983) | |
aaca0b6f | 52 | - [Proxmox](https://pve.proxmox.com/wiki/Certificate_Management) |
6f1c72f5 | 53 | - [pfsense](https://github.com/pfsense/FreeBSD-ports/pull/89) |
54 | - [webfaction](https://community.webfaction.com/questions/19988/using-letsencrypt) | |
55 | - [Loadbalancer.org](https://www.loadbalancer.org/blog/loadbalancer-org-with-lets-encrypt-quick-and-dirty) | |
56 | - [discourse.org](https://meta.discourse.org/t/setting-up-lets-encrypt/40709) | |
26c669e4 | 57 | - [Centminmod](https://centminmod.com/letsencrypt-acmetool-https.html) |
6f1c72f5 | 58 | - [splynx](https://forum.splynx.com/t/free-ssl-cert-for-splynx-lets-encrypt/297) |
7ff52546 | 59 | - [archlinux](https://www.archlinux.org/packages/community/any/acme.sh) |
9cf65e31 | 60 | - [opnsense.org](https://github.com/opnsense/plugins/tree/master/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient) |
a5c1c303 | 61 | - [CentOS Web Panel](http://centos-webpanel.com/) |
62 | - [lnmp.org](https://lnmp.org/) | |
d795fac3 | 63 | - [more...](https://github.com/acmesh-official/acme.sh/wiki/Blogs-and-tutorials) |
1bb90298 AL |
64 | |
65 | # Tested OS | |
66 | ||
daf56504 | 67 | | NO | Status| Platform| |
68 | |----|-------|---------| | |
20082ec9 | 69 | |1|[![MacOS](https://github.com/acmesh-official/acme.sh/actions/workflows/MacOS.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/MacOS.yml)|Mac OSX |
70 | |2|[![Windows](https://github.com/acmesh-official/acme.sh/actions/workflows/Windows.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Windows.yml)|Windows (cygwin with curl, openssl and crontab included) | |
41f4baad | 71 | |3|[![FreeBSD](https://github.com/acmesh-official/acme.sh/actions/workflows/FreeBSD.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/FreeBSD.yml)|FreeBSD |
72 | |4|[![Solaris](https://github.com/acmesh-official/acme.sh/actions/workflows/Solaris.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Solaris.yml)|Solaris | |
20082ec9 | 73 | |5|[![Ubuntu](https://github.com/acmesh-official/acme.sh/actions/workflows/Ubuntu.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Ubuntu.yml)| Ubuntu |
3d7375be | 74 | |6|NA|pfsense |
87b110bb | 75 | |7|[![OpenBSD](https://github.com/acmesh-official/acme.sh/actions/workflows/OpenBSD.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/OpenBSD.yml)|OpenBSD |
093cfcdf | 76 | |8|[![NetBSD](https://github.com/acmesh-official/acme.sh/actions/workflows/NetBSD.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/NetBSD.yml)|NetBSD |
2d144a8b | 77 | |9|[![DragonFlyBSD](https://github.com/acmesh-official/acme.sh/actions/workflows/DragonFlyBSD.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/DragonFlyBSD.yml)|DragonFlyBSD |
78 | |10|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)| Debian | |
79 | |11|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|CentOS | |
80 | |12|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|openSUSE | |
81 | |13|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Alpine Linux (with curl) | |
82 | |14|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Archlinux | |
83 | |15|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|fedora | |
84 | |16|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Kali Linux | |
85 | |17|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Oracle Linux | |
86 | |18|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Mageia | |
87 | |19|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Gentoo Linux | |
88 | |10|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|ClearLinux | |
89 | |11|-----| Cloud Linux https://github.com/acmesh-official/acme.sh/issues/111 | |
90 | |22|-----| OpenWRT: Tested and working. See [wiki page](https://github.com/acmesh-official/acme.sh/wiki/How-to-run-on-OpenWRT) | |
91 | |23|[![](https://acmesh-official.github.io/acmetest/status/proxmox.svg)](https://github.com/acmesh-official/letest#here-are-the-latest-status)| Proxmox: See Proxmox VE Wiki. Version [4.x, 5.0, 5.1](https://pve.proxmox.com/wiki/HTTPS_Certificate_Configuration_(Version_4.x,_5.0_and_5.1)#Let.27s_Encrypt_using_acme.sh), version [5.2 and up](https://pve.proxmox.com/wiki/Certificate_Management) | |
20082ec9 | 92 | |
6c0ab5d2 | 93 | |
3d7375be | 94 | Check our [testing project](https://github.com/acmesh-official/acmetest): |
6c0ab5d2 | 95 | |
d795fac3 | 96 | https://github.com/acmesh-official/acmetest |
07f4ec4f | 97 | |
c4094c68 | 98 | # Supported CA |
99 | ||
8ae08b29 | 100 | - [ZeroSSL.com CA](https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA)(default) |
101 | - Letsencrypt.org CA | |
d795fac3 | 102 | - [BuyPass.com CA](https://github.com/acmesh-official/acme.sh/wiki/BuyPass.com-CA) |
53d6ab6c | 103 | - [SSL.com CA](https://github.com/acmesh-official/acme.sh/wiki/SSL.com-CA) |
bcc984fc | 104 | - [Google.com Public CA](https://github.com/acmesh-official/acme.sh/wiki/Google-Public-CA) |
693d692a | 105 | - [Pebble strict Mode](https://github.com/letsencrypt/pebble) |
ab6b9006 | 106 | - Any other [RFC8555](https://tools.ietf.org/html/rfc8555)-compliant CA |
2b45dba5 | 107 | |
1bb90298 | 108 | # Supported modes |
2c75b3fd | 109 | |
1bb90298 AL |
110 | - Webroot mode |
111 | - Standalone mode | |
c9baca79 | 112 | - Standalone tls-alpn mode |
1bb90298 | 113 | - Apache mode |
d5865989 | 114 | - Nginx mode |
1bb90298 | 115 | - DNS mode |
d795fac3 | 116 | - [DNS alias mode](https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode) |
117 | - [Stateless mode](https://github.com/acmesh-official/acme.sh/wiki/Stateless-Mode) | |
2b45dba5 | 118 | |
e8cce73a | 119 | |
df1c9d88 | 120 | # 1. How to install |
6c0ab5d2 | 121 | |
1bb90298 | 122 | ### 1. Install online |
6c0ab5d2 | 123 | |
d795fac3 | 124 | Check this project: https://github.com/acmesh-official/get.acme.sh |
b0515cf8 | 125 | |
2b45dba5 | 126 | ```bash |
565ca81b | 127 | curl https://get.acme.sh | sh -s email=my@example.com |
90dda23f | 128 | ``` |
129 | ||
130 | Or: | |
2b45dba5 SF |
131 | |
132 | ```bash | |
565ca81b | 133 | wget -O - https://get.acme.sh | sh -s email=my@example.com |
90dda23f | 134 | ``` |
135 | ||
136 | ||
1bb90298 | 137 | ### 2. Or, Install from git |
2b45dba5 | 138 | |
1bb90298 | 139 | Clone this project and launch installation: |
2b45dba5 SF |
140 | |
141 | ```bash | |
d795fac3 | 142 | git clone https://github.com/acmesh-official/acme.sh.git |
2b45dba5 | 143 | cd ./acme.sh |
565ca81b | 144 | ./acme.sh --install -m my@example.com |
6c0ab5d2 | 145 | ``` |
90dda23f | 146 | |
2b45dba5 SF |
147 | You `don't have to be root` then, although `it is recommended`. |
148 | ||
d795fac3 | 149 | Advanced Installation: https://github.com/acmesh-official/acme.sh/wiki/How-to-install |
d9ded9f3 | 150 | |
2b45dba5 | 151 | The installer will perform 3 actions: |
7a894c4c | 152 | |
1bb90298 AL |
153 | 1. Create and copy `acme.sh` to your home dir (`$HOME`): `~/.acme.sh/`. |
154 | All certs will be placed in this folder too. | |
155 | 2. Create alias for: `acme.sh=~/.acme.sh/acme.sh`. | |
156 | 3. Create daily cron job to check and renew the certs if needed. | |
2b45dba5 SF |
157 | |
158 | Cron entry example: | |
159 | ||
160 | ```bash | |
161 | 0 0 * * * "/home/user/.acme.sh"/acme.sh --cron --home "/home/user/.acme.sh" > /dev/null | |
162 | ``` | |
acc1e53a | 163 | |
1bb90298 AL |
164 | After the installation, you must close the current terminal and reopen it to make the alias take effect. |
165 | ||
166 | Ok, you are ready to issue certs now. | |
acc1e53a | 167 | |
6c0ab5d2 | 168 | Show help message: |
2b45dba5 | 169 | |
e27dfbb0 | 170 | ```sh |
39c8f79f | 171 | root@v1:~# acme.sh -h |
6c0ab5d2 | 172 | ``` |
1bb90298 AL |
173 | |
174 | # 2. Just issue a cert | |
2400e41f | 175 | |
2b45dba5 | 176 | **Example 1:** Single domain. |
2400e41f | 177 | |
2b45dba5 | 178 | ```bash |
caa2e45a | 179 | acme.sh --issue -d example.com -w /home/wwwroot/example.com |
6c0ab5d2 | 180 | ``` |
2b45dba5 | 181 | |
4c38fec3 | 182 | or: |
183 | ||
184 | ```bash | |
185 | acme.sh --issue -d example.com -w /home/username/public_html | |
186 | ``` | |
187 | ||
188 | or: | |
189 | ||
190 | ```bash | |
191 | acme.sh --issue -d example.com -w /var/www/html | |
192 | ``` | |
193 | ||
2b45dba5 SF |
194 | **Example 2:** Multiple domains in the same cert. |
195 | ||
196 | ```bash | |
1bb90298 | 197 | acme.sh --issue -d example.com -d www.example.com -d cp.example.com -w /home/wwwroot/example.com |
6c0ab5d2 | 198 | ``` |
2400e41f | 199 | |
4c38fec3 | 200 | The parameter `/home/wwwroot/example.com` or `/home/username/public_html` or `/var/www/html` is the web root folder where you host your website files. You **MUST** have `write access` to this folder. |
6c0ab5d2 | 201 | |
1bb90298 AL |
202 | Second argument **"example.com"** is the main domain you want to issue the cert for. |
203 | You must have at least one domain there. | |
6c0ab5d2 | 204 | |
caa2e45a | 205 | You must point and bind all the domains to the same webroot dir: `/home/wwwroot/example.com`. |
6c0ab5d2 | 206 | |
e27dfbb0 | 207 | The certs will be placed in `~/.acme.sh/example.com/` |
6c0ab5d2 | 208 | |
e27dfbb0 | 209 | The certs will be renewed automatically every **60** days. |
6c0ab5d2 | 210 | |
d795fac3 | 211 | More examples: https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert |
a63b05a9 | 212 | |
213 | ||
e27dfbb0 | 214 | # 3. Install the cert to Apache/Nginx etc. |
a63b05a9 | 215 | |
e27dfbb0 | 216 | After the cert is generated, you probably want to install/copy the cert to your Apache/Nginx or other servers. |
1bb90298 | 217 | You **MUST** use this command to copy the certs to the target files, **DO NOT** use the certs files in **~/.acme.sh/** folder, they are for internal use only, the folder structure may change in the future. |
2b45dba5 | 218 | |
1bb90298 | 219 | **Apache** example: |
2b45dba5 | 220 | ```bash |
cd9c3a79 | 221 | acme.sh --install-cert -d example.com \ |
5c539af7 | 222 | --cert-file /path/to/certfile/in/apache/cert.pem \ |
223 | --key-file /path/to/keyfile/in/apache/key.pem \ | |
224 | --fullchain-file /path/to/fullchain/certfile/apache/fullchain.pem \ | |
4743171b | 225 | --reloadcmd "service apache2 force-reload" |
3c33cdfa | 226 | ``` |
227 | ||
1bb90298 | 228 | **Nginx** example: |
3c33cdfa | 229 | ```bash |
cd9c3a79 | 230 | acme.sh --install-cert -d example.com \ |
5c539af7 | 231 | --key-file /path/to/keyfile/in/nginx/key.pem \ |
232 | --fullchain-file /path/to/fullchain/nginx/cert.pem \ | |
4743171b | 233 | --reloadcmd "service nginx force-reload" |
6c0ab5d2 | 234 | ``` |
7a894c4c | 235 | |
a63b05a9 | 236 | Only the domain is required, all the other parameters are optional. |
237 | ||
e27dfbb0 | 238 | The ownership and permission info of existing files are preserved. You can pre-create the files to define the ownership and permission. |
fe600441 | 239 | |
e27dfbb0 | 240 | Install/copy the cert/key to the production Apache or Nginx path. |
1bb90298 | 241 | |
61852447 | 242 | The cert will be renewed every **60** days by default (which is configurable). Once the cert is renewed, the Apache/Nginx service will be reloaded automatically by the command: `service apache2 force-reload` or `service nginx force-reload`. |
7a894c4c | 243 | |
6c0ab5d2 | 244 | |
58f75313 | 245 | **Please take care: The reloadcmd is very important. The cert can be automatically renewed, but, without a correct 'reloadcmd' the cert may not be flushed to your server(like nginx or apache), then your website will not be able to show renewed cert in 60 days.** |
bae50da7 | 246 | |
df1c9d88 | 247 | # 4. Use Standalone server to issue cert |
6c0ab5d2 | 248 | |
1bb90298 | 249 | **(requires you to be root/sudoer or have permission to listen on port 80 (TCP))** |
072290f2 | 250 | |
1bb90298 | 251 | Port `80` (TCP) **MUST** be free to listen on, otherwise you will be prompted to free it and try again. |
2b45dba5 SF |
252 | |
253 | ```bash | |
caa2e45a | 254 | acme.sh --issue --standalone -d example.com -d www.example.com -d cp.example.com |
072290f2 N |
255 | ``` |
256 | ||
d795fac3 | 257 | More examples: https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert |
a63b05a9 | 258 | |
c9baca79 | 259 | # 5. Use Standalone ssl server to issue cert |
e22bcf7c | 260 | |
c9baca79 | 261 | **(requires you to be root/sudoer or have permission to listen on port 443 (TCP))** |
262 | ||
263 | Port `443` (TCP) **MUST** be free to listen on, otherwise you will be prompted to free it and try again. | |
264 | ||
265 | ```bash | |
266 | acme.sh --issue --alpn -d example.com -d www.example.com -d cp.example.com | |
267 | ``` | |
268 | ||
d795fac3 | 269 | More examples: https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert |
c9baca79 | 270 | |
271 | ||
272 | # 6. Use Apache mode | |
2b45dba5 | 273 | |
1bb90298 | 274 | **(requires you to be root/sudoer, since it is required to interact with Apache server)** |
2b45dba5 | 275 | |
e8defd82 | 276 | If you are running a web server, it is recommended to use the `Webroot mode`. |
a63b05a9 | 277 | |
d5865989 | 278 | Particularly, if you are running an Apache server, you can use Apache mode instead. This mode doesn't write any files to your web root folder. |
2c75b3fd | 279 | |
1bb90298 | 280 | Just set string "apache" as the second argument and it will force use of apache plugin automatically. |
2c75b3fd | 281 | |
e27dfbb0 | 282 | ```sh |
1bb90298 | 283 | acme.sh --issue --apache -d example.com -d www.example.com -d cp.example.com |
2c75b3fd | 284 | ``` |
a63b05a9 | 285 | |
84d80e93 | 286 | **This apache mode is only to issue the cert, it will not change your apache config files. |
d5865989 | 287 | You will need to configure your website config files to use the cert by yourself. |
f8662c9b | 288 | We don't want to mess with your apache server, don't worry.** |
d5865989 | 289 | |
d795fac3 | 290 | More examples: https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert |
2c75b3fd | 291 | |
c9baca79 | 292 | # 7. Use Nginx mode |
1bb90298 | 293 | |
9d725af6 | 294 | **(requires you to be root/sudoer, since it is required to interact with Nginx server)** |
295 | ||
e8defd82 | 296 | If you are running a web server, it is recommended to use the `Webroot mode`. |
9d725af6 | 297 | |
298 | Particularly, if you are running an nginx server, you can use nginx mode instead. This mode doesn't write any files to your web root folder. | |
299 | ||
300 | Just set string "nginx" as the second argument. | |
301 | ||
302 | It will configure nginx server automatically to verify the domain and then restore the nginx config to the original version. | |
303 | ||
304 | So, the config is not changed. | |
305 | ||
e27dfbb0 | 306 | ```sh |
9d725af6 | 307 | acme.sh --issue --nginx -d example.com -d www.example.com -d cp.example.com |
308 | ``` | |
309 | ||
84d80e93 | 310 | **This nginx mode is only to issue the cert, it will not change your nginx config files. |
d5865989 | 311 | You will need to configure your website config files to use the cert by yourself. |
f8662c9b | 312 | We don't want to mess with your nginx server, don't worry.** |
d5865989 | 313 | |
d795fac3 | 314 | More examples: https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert |
9d725af6 | 315 | |
c9baca79 | 316 | # 8. Automatic DNS API integration |
a947dbc6 | 317 | |
1bb90298 | 318 | If your DNS provider supports API access, we can use that API to automatically issue the certs. |
6c0ab5d2 | 319 | |
1bb90298 | 320 | You don't have to do anything manually! |
ab497961 | 321 | |
236acbd6 | 322 | ### Currently acme.sh supports most of the dns providers: |
323 | ||
d795fac3 | 324 | https://github.com/acmesh-official/acme.sh/wiki/dnsapi |
ab497961 | 325 | |
c9baca79 | 326 | # 9. Use DNS manual mode: |
e27dfbb0 | 327 | |
d795fac3 | 328 | See: https://github.com/acmesh-official/acme.sh/wiki/dns-manual-mode first. |
46ac97a3 | 329 | |
f190de39 | 330 | If your dns provider doesn't support any api access, you can add the txt record by hand. |
e27dfbb0 | 331 | |
332 | ```bash | |
333 | acme.sh --issue --dns -d example.com -d www.example.com -d cp.example.com | |
334 | ``` | |
335 | ||
336 | You should get an output like below: | |
337 | ||
338 | ```sh | |
339 | Add the following txt record: | |
340 | Domain:_acme-challenge.example.com | |
341 | Txt value:9ihDbjYfTExAYeDs4DBUeuTo18KBzwvTEjUnSwd32-c | |
342 | ||
343 | Add the following txt record: | |
344 | Domain:_acme-challenge.www.example.com | |
345 | Txt value:9ihDbjxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx | |
346 | ||
347 | Please add those txt records to the domains. Waiting for the dns to take effect. | |
348 | ``` | |
349 | ||
350 | Then just rerun with `renew` argument: | |
351 | ||
352 | ```bash | |
353 | acme.sh --renew -d example.com | |
354 | ``` | |
355 | ||
356 | Ok, it's done. | |
357 | ||
358 | **Take care, this is dns manual mode, it can not be renewed automatically. you will have to add a new txt record to your domain by your hand when you renew your cert.** | |
359 | ||
360 | **Please use dns api mode instead.** | |
ab497961 | 361 | |
c9baca79 | 362 | # 10. Issue ECC certificates |
2b45dba5 | 363 | |
d5865989 | 364 | Just set the `keylength` parameter with a prefix `ec-`. |
2b45dba5 | 365 | |
1add47a6 | 366 | For example: |
9e6c4208 | 367 | |
bcbecff6 | 368 | ### Single domain ECC certificate |
9e6c4208 | 369 | |
2b45dba5 | 370 | ```bash |
1bb90298 | 371 | acme.sh --issue -w /home/wwwroot/example.com -d example.com --keylength ec-256 |
1add47a6 | 372 | ``` |
2b45dba5 | 373 | |
1bb90298 | 374 | ### SAN multi domain ECC certificate |
2b45dba5 SF |
375 | |
376 | ```bash | |
1bb90298 | 377 | acme.sh --issue -w /home/wwwroot/example.com -d example.com -d www.example.com --keylength ec-256 |
9e6c4208 N |
378 | ``` |
379 | ||
d5865989 | 380 | Please look at the `keylength` parameter above. |
1add47a6 | 381 | |
382 | Valid values are: | |
383 | ||
ecf1f17c | 384 | 1. **ec-256 (prime256v1, "ECDSA P-256", which is the default key type)** |
2b45dba5 SF |
385 | 2. **ec-384 (secp384r1, "ECDSA P-384")** |
386 | 3. **ec-521 (secp521r1, "ECDSA P-521", which is not supported by Let's Encrypt yet.)** | |
ecf1f17c | 387 | 4. **2048 (RSA2048)** |
388 | 5. **3072 (RSA3072)** | |
389 | 6. **4096 (RSA4096)** | |
df1c9d88 | 390 | |
df1c9d88 | 391 | |
c9baca79 | 392 | # 11. Issue Wildcard certificates |
df1c9d88 | 393 | |
e27dfbb0 | 394 | It's simple, just give a wildcard domain as the `-d` parameter. |
df1c9d88 | 395 | |
e27dfbb0 | 396 | ```sh |
f2aa5c02 | 397 | acme.sh --issue -d example.com -d '*.example.com' --dns dns_cf |
df1c9d88 | 398 | ``` |
e27dfbb0 | 399 | |
400 | ||
401 | ||
c9baca79 | 402 | # 12. How to renew the certs |
e27dfbb0 | 403 | |
404 | No, you don't need to renew the certs manually. All the certs will be renewed automatically every **60** days. | |
405 | ||
406 | However, you can also force to renew a cert: | |
407 | ||
408 | ```sh | |
1bb90298 | 409 | acme.sh --renew -d example.com --force |
df1c9d88 | 410 | ``` |
411 | ||
412 | or, for ECC cert: | |
1bb90298 | 413 | |
e27dfbb0 | 414 | ```sh |
1bb90298 | 415 | acme.sh --renew -d example.com --force --ecc |
df1c9d88 | 416 | ``` |
417 | ||
1bb90298 | 418 | |
c9baca79 | 419 | # 13. How to stop cert renewal |
a4964b90 | 420 | |
e27dfbb0 | 421 | To stop renewal of a cert, you can execute the following to remove the cert from the renewal list: |
a4964b90 | 422 | |
e27dfbb0 | 423 | ```sh |
a4964b90 FW |
424 | acme.sh --remove -d example.com [--ecc] |
425 | ``` | |
426 | ||
e27dfbb0 | 427 | The cert/key file is not removed from the disk. |
a4964b90 | 428 | |
e27dfbb0 | 429 | You can remove the respective directory (e.g. `~/.acme.sh/example.com`) by yourself. |
a4964b90 | 430 | |
e27dfbb0 | 431 | |
c9baca79 | 432 | # 14. How to upgrade `acme.sh` |
1bb90298 | 433 | |
329174b6 | 434 | acme.sh is in constant development, so it's strongly recommended to use the latest code. |
df1c9d88 | 435 | |
436 | You can update acme.sh to the latest code: | |
1bb90298 | 437 | |
e27dfbb0 | 438 | ```sh |
df1c9d88 | 439 | acme.sh --upgrade |
440 | ``` | |
441 | ||
1bb90298 AL |
442 | You can also enable auto upgrade: |
443 | ||
e27dfbb0 | 444 | ```sh |
1bb90298 | 445 | acme.sh --upgrade --auto-upgrade |
59649e9b | 446 | ``` |
1bb90298 AL |
447 | |
448 | Then **acme.sh** will be kept up to date automatically. | |
59649e9b | 449 | |
450 | Disable auto upgrade: | |
1bb90298 | 451 | |
e27dfbb0 | 452 | ```sh |
1bb90298 | 453 | acme.sh --upgrade --auto-upgrade 0 |
59649e9b | 454 | ``` |
455 | ||
1bb90298 | 456 | |
c9baca79 | 457 | # 15. Issue a cert from an existing CSR |
8371b030 | 458 | |
d795fac3 | 459 | https://github.com/acmesh-official/acme.sh/wiki/Issue-a-cert-from-existing-CSR |
8371b030 | 460 | |
461 | ||
5d468f7c | 462 | # 16. Send notifications in cronjob |
463 | ||
d795fac3 | 464 | https://github.com/acmesh-official/acme.sh/wiki/notify |
5d468f7c | 465 | |
466 | ||
467 | # 17. Under the Hood | |
6c0ab5d2 | 468 | |
99dc89c0 | 469 | Speak ACME language using shell, directly to "Let's Encrypt". |
6c0ab5d2 N |
470 | |
471 | TODO: | |
472 | ||
1bb90298 | 473 | |
5d468f7c | 474 | # 18. Acknowledgments |
1bb90298 | 475 | |
63f04675 N |
476 | 1. Acme-tiny: https://github.com/diafygi/acme-tiny |
477 | 2. ACME protocol: https://github.com/ietf-wg-acme/acme | |
63f04675 | 478 | |
1bb90298 | 479 | |
683592fa | 480 | ## Contributors |
481 | ||
482 | ### Code Contributors | |
483 | ||
6621ef6a | 484 | This project exists thanks to all the people who contribute. |
d795fac3 | 485 | <a href="https://github.com/acmesh-official/acme.sh/graphs/contributors"><img src="https://opencollective.com/acmesh/contributors.svg?width=890&button=false" /></a> |
683592fa | 486 | |
487 | ### Financial Contributors | |
488 | ||
489 | Become a financial contributor and help us sustain our community. [[Contribute](https://opencollective.com/acmesh/contribute)] | |
490 | ||
491 | #### Individuals | |
492 | ||
493 | <a href="https://opencollective.com/acmesh"><img src="https://opencollective.com/acmesh/individuals.svg?width=890"></a> | |
494 | ||
495 | #### Organizations | |
496 | ||
497 | Support this project with your organization. Your logo will show up here with a link to your website. [[Contribute](https://opencollective.com/acmesh/contribute)] | |
498 | ||
499 | <a href="https://opencollective.com/acmesh/organization/0/website"><img src="https://opencollective.com/acmesh/organization/0/avatar.svg"></a> | |
500 | <a href="https://opencollective.com/acmesh/organization/1/website"><img src="https://opencollective.com/acmesh/organization/1/avatar.svg"></a> | |
501 | <a href="https://opencollective.com/acmesh/organization/2/website"><img src="https://opencollective.com/acmesh/organization/2/avatar.svg"></a> | |
502 | <a href="https://opencollective.com/acmesh/organization/3/website"><img src="https://opencollective.com/acmesh/organization/3/avatar.svg"></a> | |
503 | <a href="https://opencollective.com/acmesh/organization/4/website"><img src="https://opencollective.com/acmesh/organization/4/avatar.svg"></a> | |
504 | <a href="https://opencollective.com/acmesh/organization/5/website"><img src="https://opencollective.com/acmesh/organization/5/avatar.svg"></a> | |
505 | <a href="https://opencollective.com/acmesh/organization/6/website"><img src="https://opencollective.com/acmesh/organization/6/avatar.svg"></a> | |
506 | <a href="https://opencollective.com/acmesh/organization/7/website"><img src="https://opencollective.com/acmesh/organization/7/avatar.svg"></a> | |
507 | <a href="https://opencollective.com/acmesh/organization/8/website"><img src="https://opencollective.com/acmesh/organization/8/avatar.svg"></a> | |
508 | <a href="https://opencollective.com/acmesh/organization/9/website"><img src="https://opencollective.com/acmesh/organization/9/avatar.svg"></a> | |
509 | ||
9a5c2b88 | 510 | |
511 | #### Sponsors | |
512 | ||
513 | [![quantumca-acmesh-logo](https://user-images.githubusercontent.com/8305679/183255712-634ee1db-bb61-4c03-bca0-bacce99e078c.svg)](https://www.quantumca.com.cn/?__utm_source=acmesh-donation) | |
514 | ||
515 | ||
5d468f7c | 516 | # 19. License & Others |
6c0ab5d2 N |
517 | |
518 | License is GPLv3 | |
519 | ||
1d06c947 | 520 | Please Star and Fork me. |
6c0ab5d2 | 521 | |
d795fac3 | 522 | [Issues](https://github.com/acmesh-official/acme.sh/issues) and [pull requests](https://github.com/acmesh-official/acme.sh/pulls) are welcome. |
6c0ab5d2 N |
523 | |
524 | ||
5d468f7c | 525 | # 20. Donate |
cb6f6229 | 526 | Your donation makes **acme.sh** better: |
6c0ab5d2 | 527 | |
43d3b51b | 528 | 1. PayPal/Alipay(支付宝)/Wechat(微信): [https://donate.acme.sh/](https://donate.acme.sh/) |
84d80e93 | 529 | |
d795fac3 | 530 | [Donate List](https://github.com/acmesh-official/acme.sh/wiki/Donate-list) |