]>
Commit | Line | Data |
---|---|---|
a2e62f8e | 1 | # An ACME Shell script: acme.sh [![Build Status](https://travis-ci.org/Neilpang/acme.sh.svg?branch=master)](https://travis-ci.org/Neilpang/acme.sh) |
99dc89c0 | 2 | - An ACME protocol client written purely in Shell (Unix shell) language. |
1bb90298 AL |
3 | - Full ACME protocol implementation. |
4 | - Simple, powerful and very easy to use. You only need 3 minutes to learn it. | |
5 | - Bash, dash and sh compatible. | |
2b45dba5 | 6 | - Simplest shell script for Let's Encrypt free certificate client. |
1bb90298 AL |
7 | - Purely written in Shell with no dependencies on python or the official Let's Encrypt client. |
8 | - Just one script to issue, renew and install your certificates automatically. | |
1f60d2bb | 9 | - DOES NOT require `root/sudoer` access. |
6c0ab5d2 | 10 | |
2b45dba5 | 11 | It's probably the `easiest&smallest&smartest` shell script to automatically issue & renew the free certificates from Let's Encrypt. |
6c0ab5d2 | 12 | |
6cc11ffb | 13 | Wiki: https://github.com/Neilpang/acme.sh/wiki |
de9fd54e | 14 | |
1bb90298 | 15 | |
fe04faf6 | 16 | # [中文说明](https://github.com/Neilpang/acme.sh/wiki/%E8%AF%B4%E6%98%8E) |
17 | ||
1bb90298 AL |
18 | |
19 | # Tested OS | |
20 | ||
daf56504 | 21 | | NO | Status| Platform| |
22 | |----|-------|---------| | |
620f8613 | 23 | |1|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/ubuntu-latest.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)| Ubuntu |
24 | |2|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/debian-latest.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)| Debian | |
25 | |3|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/centos-latest.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|CentOS | |
990d46d6 | 26 | |4|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/windows-cygwin.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|Windows (cygwin with curl, openssl and crontab included) |
620f8613 | 27 | |5|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/freebsd.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|FreeBSD |
28 | |6|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/pfsense.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|pfsense | |
29 | |7|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/opensuse-latest.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|openSUSE | |
30 | |8|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/alpine-latest.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|Alpine Linux (with curl) | |
31 | |9|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/base-archlinux.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|Archlinux | |
32 | |10|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/fedora-latest.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|fedora | |
33 | |11|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/kalilinux-kali-linux-docker.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|Kali Linux | |
34 | |12|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/oraclelinux-latest.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|Oracle Linux | |
35 | |13|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/proxmox.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)| Proxmox https://pve.proxmox.com/wiki/HTTPSCertificateConfiguration#Let.27s_Encrypt_using_acme.sh | |
63c6a3b0 | 36 | |14|-----| Cloud Linux https://github.com/Neilpang/le/issues/111 |
620f8613 | 37 | |15|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/openbsd.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|OpenBSD |
199067e8 | 38 | |16|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/mageia.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|Mageia |
3ad08e95 | 39 | |17|-----| OpenWRT: Tested and working. See [wiki page](https://github.com/Neilpang/acme.sh/wiki/How-to-run-on-OpenWRT) |
527dd31c | 40 | |18|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/solaris.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|SunOS/Solaris |
5961d443 | 41 | |19|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/gentoo-stage3-amd64.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|Gentoo Linux |
6c0ab5d2 | 42 | |
1bb90298 | 43 | For all build statuses, check our [daily build project](https://github.com/Neilpang/acmetest): |
6c0ab5d2 | 44 | |
6cc11ffb | 45 | https://github.com/Neilpang/acmetest |
07f4ec4f | 46 | |
2b45dba5 | 47 | |
1bb90298 | 48 | # Supported modes |
2c75b3fd | 49 | |
1bb90298 AL |
50 | - Webroot mode |
51 | - Standalone mode | |
52 | - Apache mode | |
53 | - DNS mode | |
2b45dba5 | 54 | |
e8cce73a | 55 | |
df1c9d88 | 56 | # 1. How to install |
6c0ab5d2 | 57 | |
1bb90298 | 58 | ### 1. Install online |
6c0ab5d2 | 59 | |
5bdad844 | 60 | Check this project: https://github.com/Neilpang/get.acme.sh |
b0515cf8 | 61 | |
2b45dba5 | 62 | ```bash |
99dc89c0 | 63 | curl https://get.acme.sh | sh |
90dda23f | 64 | ``` |
65 | ||
66 | Or: | |
2b45dba5 SF |
67 | |
68 | ```bash | |
99dc89c0 | 69 | wget -O - https://get.acme.sh | sh |
90dda23f | 70 | ``` |
71 | ||
72 | ||
1bb90298 | 73 | ### 2. Or, Install from git |
2b45dba5 | 74 | |
1bb90298 | 75 | Clone this project and launch installation: |
2b45dba5 SF |
76 | |
77 | ```bash | |
6cc11ffb | 78 | git clone https://github.com/Neilpang/acme.sh.git |
2b45dba5 | 79 | cd ./acme.sh |
6cc11ffb | 80 | ./acme.sh --install |
6c0ab5d2 | 81 | ``` |
90dda23f | 82 | |
2b45dba5 SF |
83 | You `don't have to be root` then, although `it is recommended`. |
84 | ||
1bb90298 | 85 | Advanced Installation: https://github.com/Neilpang/acme.sh/wiki/How-to-install |
d9ded9f3 | 86 | |
2b45dba5 | 87 | The installer will perform 3 actions: |
7a894c4c | 88 | |
1bb90298 AL |
89 | 1. Create and copy `acme.sh` to your home dir (`$HOME`): `~/.acme.sh/`. |
90 | All certs will be placed in this folder too. | |
91 | 2. Create alias for: `acme.sh=~/.acme.sh/acme.sh`. | |
92 | 3. Create daily cron job to check and renew the certs if needed. | |
2b45dba5 SF |
93 | |
94 | Cron entry example: | |
95 | ||
96 | ```bash | |
97 | 0 0 * * * "/home/user/.acme.sh"/acme.sh --cron --home "/home/user/.acme.sh" > /dev/null | |
98 | ``` | |
acc1e53a | 99 | |
1bb90298 AL |
100 | After the installation, you must close the current terminal and reopen it to make the alias take effect. |
101 | ||
102 | Ok, you are ready to issue certs now. | |
acc1e53a | 103 | |
6c0ab5d2 | 104 | Show help message: |
2b45dba5 | 105 | |
6c0ab5d2 | 106 | ``` |
39c8f79f | 107 | root@v1:~# acme.sh -h |
6c0ab5d2 | 108 | ``` |
1bb90298 AL |
109 | |
110 | # 2. Just issue a cert | |
2400e41f | 111 | |
2b45dba5 | 112 | **Example 1:** Single domain. |
2400e41f | 113 | |
2b45dba5 | 114 | ```bash |
caa2e45a | 115 | acme.sh --issue -d example.com -w /home/wwwroot/example.com |
6c0ab5d2 | 116 | ``` |
2b45dba5 SF |
117 | |
118 | **Example 2:** Multiple domains in the same cert. | |
119 | ||
120 | ```bash | |
1bb90298 | 121 | acme.sh --issue -d example.com -d www.example.com -d cp.example.com -w /home/wwwroot/example.com |
6c0ab5d2 | 122 | ``` |
2400e41f | 123 | |
caa2e45a | 124 | The parameter `/home/wwwroot/example.com` is the web root folder. You **MUST** have `write access` to this folder. |
6c0ab5d2 | 125 | |
1bb90298 AL |
126 | Second argument **"example.com"** is the main domain you want to issue the cert for. |
127 | You must have at least one domain there. | |
6c0ab5d2 | 128 | |
caa2e45a | 129 | You must point and bind all the domains to the same webroot dir: `/home/wwwroot/example.com`. |
6c0ab5d2 | 130 | |
1bb90298 | 131 | Generated/issued certs will be placed in `~/.acme.sh/example.com/` |
6c0ab5d2 | 132 | |
1bb90298 | 133 | The issued cert will be renewed automatically every **60** days. |
6c0ab5d2 | 134 | |
6cc11ffb | 135 | More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert |
a63b05a9 | 136 | |
137 | ||
1bb90298 | 138 | # 3. Install the issued cert to Apache/Nginx etc. |
a63b05a9 | 139 | |
1bb90298 AL |
140 | After you issue a cert, you probably want to install/copy the cert to your Apache/Nginx or other servers. |
141 | You **MUST** use this command to copy the certs to the target files, **DO NOT** use the certs files in **~/.acme.sh/** folder, they are for internal use only, the folder structure may change in the future. | |
2b45dba5 | 142 | |
1bb90298 | 143 | **Apache** example: |
2b45dba5 | 144 | ```bash |
caa2e45a | 145 | acme.sh --installcert -d example.com \ |
1bb90298 AL |
146 | --certpath /path/to/certfile/in/apache/cert.pem \ |
147 | --keypath /path/to/keyfile/in/apache/key.pem \ | |
148 | --fullchainpath /path/to/fullchain/certfile/apache/fullchain.pem \ | |
149 | --reloadcmd "service apache2 restart" | |
3c33cdfa | 150 | ``` |
151 | ||
1bb90298 | 152 | **Nginx** example: |
3c33cdfa | 153 | ```bash |
154 | acme.sh --installcert -d example.com \ | |
1bb90298 AL |
155 | --keypath /path/to/keyfile/in/nginx/key.pem \ |
156 | --fullchainpath /path/to/fullchain/nginx/cert.pem \ | |
157 | --reloadcmd "service nginx restart" | |
6c0ab5d2 | 158 | ``` |
7a894c4c | 159 | |
a63b05a9 | 160 | Only the domain is required, all the other parameters are optional. |
161 | ||
1bb90298 AL |
162 | Install/copy the issued cert/key to the production Apache or Nginx path. |
163 | ||
164 | The cert will be `renewed every **60** days by default` (which is configurable). Once the cert is renewed, the Apache/Nginx service will be restarted automatically by the command: `service apache2 restart` or `service nginx restart`. | |
7a894c4c | 165 | |
6c0ab5d2 | 166 | |
df1c9d88 | 167 | # 4. Use Standalone server to issue cert |
6c0ab5d2 | 168 | |
1bb90298 | 169 | **(requires you to be root/sudoer or have permission to listen on port 80 (TCP))** |
072290f2 | 170 | |
1bb90298 | 171 | Port `80` (TCP) **MUST** be free to listen on, otherwise you will be prompted to free it and try again. |
2b45dba5 SF |
172 | |
173 | ```bash | |
caa2e45a | 174 | acme.sh --issue --standalone -d example.com -d www.example.com -d cp.example.com |
072290f2 N |
175 | ``` |
176 | ||
6cc11ffb | 177 | More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert |
a63b05a9 | 178 | |
e22bcf7c | 179 | |
1bb90298 AL |
180 | # 5. Use Standalone TLS server to issue cert |
181 | ||
182 | **(requires you to be root/sudoer or have permission to listen on port 443 (TCP))** | |
e22bcf7c | 183 | |
184 | acme.sh supports `tls-sni-01` validation. | |
185 | ||
1bb90298 | 186 | Port `443` (TCP) **MUST** be free to listen on, otherwise you will be prompted to free it and try again. |
e22bcf7c | 187 | |
188 | ```bash | |
caa2e45a | 189 | acme.sh --issue --tls -d example.com -d www.example.com -d cp.example.com |
e22bcf7c | 190 | ``` |
191 | ||
192 | More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert | |
193 | ||
1bb90298 | 194 | |
df1c9d88 | 195 | # 6. Use Apache mode |
2b45dba5 | 196 | |
1bb90298 | 197 | **(requires you to be root/sudoer, since it is required to interact with Apache server)** |
2b45dba5 | 198 | |
1bb90298 | 199 | If you are running a web server, Apache or Nginx, it is recommended to use the `Webroot mode`. |
a63b05a9 | 200 | |
1bb90298 | 201 | Particularly, if you are running an Apache server, you should use Apache mode instead. This mode doesn't write any files to your web root folder. |
2c75b3fd | 202 | |
1bb90298 | 203 | Just set string "apache" as the second argument and it will force use of apache plugin automatically. |
2c75b3fd | 204 | |
205 | ``` | |
1bb90298 | 206 | acme.sh --issue --apache -d example.com -d www.example.com -d cp.example.com |
2c75b3fd | 207 | ``` |
a63b05a9 | 208 | |
6cc11ffb | 209 | More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert |
2c75b3fd | 210 | |
1bb90298 | 211 | |
df1c9d88 | 212 | # 7. Use DNS mode: |
a947dbc6 | 213 | |
2b45dba5 SF |
214 | Support the `dns-01` challenge. |
215 | ||
216 | ```bash | |
1bb90298 | 217 | acme.sh --issue --dns -d example.com -d www.example.com -d cp.example.com |
a947dbc6 N |
218 | ``` |
219 | ||
1bb90298 | 220 | You should get an output like below: |
2b45dba5 | 221 | |
a947dbc6 N |
222 | ``` |
223 | Add the following txt record: | |
caa2e45a | 224 | Domain:_acme-challenge.example.com |
a947dbc6 N |
225 | Txt value:9ihDbjYfTExAYeDs4DBUeuTo18KBzwvTEjUnSwd32-c |
226 | ||
227 | Add the following txt record: | |
caa2e45a | 228 | Domain:_acme-challenge.www.example.com |
a947dbc6 | 229 | Txt value:9ihDbjxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx |
a947dbc6 N |
230 | |
231 | Please add those txt records to the domains. Waiting for the dns to take effect. | |
a947dbc6 | 232 | ``` |
2b45dba5 SF |
233 | |
234 | Then just rerun with `renew` argument: | |
235 | ||
236 | ```bash | |
caa2e45a | 237 | acme.sh --renew -d example.com |
a947dbc6 N |
238 | ``` |
239 | ||
240 | Ok, it's finished. | |
241 | ||
1bb90298 | 242 | |
df1c9d88 | 243 | # 8. Automatic DNS API integration |
a947dbc6 | 244 | |
1bb90298 | 245 | If your DNS provider supports API access, we can use that API to automatically issue the certs. |
6c0ab5d2 | 246 | |
1bb90298 | 247 | You don't have to do anything manually! |
ab497961 | 248 | |
2b45dba5 | 249 | ### Currently acme.sh supports: |
855d9499 | 250 | |
9c174758 | 251 | 1. CloudFlare.com API |
252 | 1. DNSPod.cn API | |
253 | 1. CloudXNS.com API | |
254 | 1. GoDaddy.com API | |
255 | 1. OVH, kimsufi, soyoustart and runabove API | |
5b771039 | 256 | 1. AWS Route 53 |
9c174758 | 257 | 1. PowerDNS.com API |
258 | 1. lexicon DNS API: https://github.com/Neilpang/acme.sh/wiki/How-to-use-lexicon-dns-api | |
1bb90298 | 259 | (DigitalOcean, DNSimple, DNSMadeEasy, DNSPark, EasyDNS, Namesilo, NS1, PointHQ, Rage4 and Vultr etc.) |
9c174758 | 260 | 1. LuaDNS.com API |
261 | 1. DNSMadeEasy.com API | |
262 | 1. nsupdate API | |
1bb90298 AL |
263 | |
264 | **More APIs coming soon...** | |
ab497961 | 265 | |
1bb90298 | 266 | If your DNS provider is not on the supported list above, you can write your own DNS API script easily. If you do, please consider submitting a [Pull Request](https://github.com/Neilpang/acme.sh/pulls) and contribute it to the project. |
ab497961 | 267 | |
1bb90298 | 268 | For more details: [How to use DNS API](dnsapi) |
ab497961 | 269 | |
270 | ||
1bb90298 | 271 | # 9. Issue ECC certificates |
2b45dba5 | 272 | |
1bb90298 | 273 | `Let's Encrypt` can now issue **ECDSA** certificates. |
2b45dba5 | 274 | |
1bb90298 | 275 | And we support them too! |
1add47a6 | 276 | |
8b92aab7 | 277 | Just set the `length` parameter with a prefix `ec-`. |
2b45dba5 | 278 | |
1add47a6 | 279 | For example: |
9e6c4208 | 280 | |
1bb90298 | 281 | ### Single domain ECC cerfiticate |
9e6c4208 | 282 | |
2b45dba5 | 283 | ```bash |
1bb90298 | 284 | acme.sh --issue -w /home/wwwroot/example.com -d example.com --keylength ec-256 |
1add47a6 | 285 | ``` |
2b45dba5 | 286 | |
1bb90298 | 287 | ### SAN multi domain ECC certificate |
2b45dba5 SF |
288 | |
289 | ```bash | |
1bb90298 | 290 | acme.sh --issue -w /home/wwwroot/example.com -d example.com -d www.example.com --keylength ec-256 |
9e6c4208 N |
291 | ``` |
292 | ||
1add47a6 | 293 | Please look at the last parameter above. |
294 | ||
295 | Valid values are: | |
296 | ||
2b45dba5 SF |
297 | 1. **ec-256 (prime256v1, "ECDSA P-256")** |
298 | 2. **ec-384 (secp384r1, "ECDSA P-384")** | |
299 | 3. **ec-521 (secp521r1, "ECDSA P-521", which is not supported by Let's Encrypt yet.)** | |
1add47a6 | 300 | |
df1c9d88 | 301 | |
1bb90298 | 302 | # 10. How to renew the issued certs |
df1c9d88 | 303 | |
1bb90298 | 304 | No, you don't need to renew the certs manually. All the certs will be renewed automatically every **60** days. |
df1c9d88 | 305 | |
306 | However, you can also force to renew any cert: | |
307 | ||
308 | ``` | |
1bb90298 | 309 | acme.sh --renew -d example.com --force |
df1c9d88 | 310 | ``` |
311 | ||
312 | or, for ECC cert: | |
1bb90298 | 313 | |
df1c9d88 | 314 | ``` |
1bb90298 | 315 | acme.sh --renew -d example.com --force --ecc |
df1c9d88 | 316 | ``` |
317 | ||
1bb90298 | 318 | |
df1c9d88 | 319 | # 11. How to upgrade `acme.sh` |
1bb90298 AL |
320 | |
321 | acme.sh is in constant developement, so it's strongly recommended to use the latest code. | |
df1c9d88 | 322 | |
323 | You can update acme.sh to the latest code: | |
1bb90298 | 324 | |
df1c9d88 | 325 | ``` |
326 | acme.sh --upgrade | |
327 | ``` | |
328 | ||
1bb90298 AL |
329 | You can also enable auto upgrade: |
330 | ||
59649e9b | 331 | ``` |
1bb90298 | 332 | acme.sh --upgrade --auto-upgrade |
59649e9b | 333 | ``` |
1bb90298 AL |
334 | |
335 | Then **acme.sh** will be kept up to date automatically. | |
59649e9b | 336 | |
337 | Disable auto upgrade: | |
1bb90298 | 338 | |
59649e9b | 339 | ``` |
1bb90298 | 340 | acme.sh --upgrade --auto-upgrade 0 |
59649e9b | 341 | ``` |
342 | ||
1bb90298 | 343 | |
150e9c8a | 344 | # 12. Issue a cert from an existing CSR |
8371b030 | 345 | |
346 | https://github.com/Neilpang/acme.sh/wiki/Issue-a-cert-from-existing-CSR | |
347 | ||
348 | ||
2b45dba5 | 349 | # Under the Hood |
6c0ab5d2 | 350 | |
99dc89c0 | 351 | Speak ACME language using shell, directly to "Let's Encrypt". |
6c0ab5d2 N |
352 | |
353 | TODO: | |
354 | ||
1bb90298 AL |
355 | |
356 | # Acknowledgments | |
357 | ||
63f04675 N |
358 | 1. Acme-tiny: https://github.com/diafygi/acme-tiny |
359 | 2. ACME protocol: https://github.com/ietf-wg-acme/acme | |
4e1f39cd | 360 | 3. Certbot: https://github.com/certbot/certbot |
63f04675 | 361 | |
1bb90298 | 362 | |
150e9c8a | 363 | # License & Others |
6c0ab5d2 N |
364 | |
365 | License is GPLv3 | |
366 | ||
1d06c947 | 367 | Please Star and Fork me. |
6c0ab5d2 | 368 | |
1bb90298 | 369 | [Issues](https://github.com/Neilpang/acme.sh/issues) and [pull requests](https://github.com/Neilpang/acme.sh/pulls) are welcome. |
6c0ab5d2 N |
370 | |
371 | ||
fa989a55 | 372 | # Donate |
6c0ab5d2 | 373 | |
1bb90298 | 374 | 1. PayPal: donate@acme.sh |
d4d1f0f4 | 375 | |
1bb90298 | 376 | [Donate List](https://github.com/Neilpang/acme.sh/wiki/Donate-list) |