]>
Commit | Line | Data |
---|---|---|
a2e62f8e | 1 | # An ACME Shell script: acme.sh [![Build Status](https://travis-ci.org/Neilpang/acme.sh.svg?branch=master)](https://travis-ci.org/Neilpang/acme.sh) |
319d49dd TGB |
2 | |
3 | [![Join the chat at https://gitter.im/acme-sh/Lobby](https://badges.gitter.im/acme-sh/Lobby.svg)](https://gitter.im/acme-sh/Lobby?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge) | |
99dc89c0 | 4 | - An ACME protocol client written purely in Shell (Unix shell) language. |
1bb90298 AL |
5 | - Full ACME protocol implementation. |
6 | - Simple, powerful and very easy to use. You only need 3 minutes to learn it. | |
7 | - Bash, dash and sh compatible. | |
2b45dba5 | 8 | - Simplest shell script for Let's Encrypt free certificate client. |
1bb90298 AL |
9 | - Purely written in Shell with no dependencies on python or the official Let's Encrypt client. |
10 | - Just one script to issue, renew and install your certificates automatically. | |
1f60d2bb | 11 | - DOES NOT require `root/sudoer` access. |
f3b43439 | 12 | - Docker friendly |
0f48b156 | 13 | - IPv6 support |
6c0ab5d2 | 14 | |
9cf65e31 | 15 | It's probably the `easiest & smartest` shell script to automatically issue & renew the free certificates from Let's Encrypt. |
6c0ab5d2 | 16 | |
6cc11ffb | 17 | Wiki: https://github.com/Neilpang/acme.sh/wiki |
de9fd54e | 18 | |
f3b43439 | 19 | For Docker Fans: [acme.sh :two_hearts: Docker ](https://github.com/Neilpang/acme.sh/wiki/Run-acme.sh-in-docker) |
1bb90298 | 20 | |
08998032 | 21 | Twitter: [@neilpangxa](https://twitter.com/neilpangxa) |
22 | ||
23 | ||
fe04faf6 | 24 | # [中文说明](https://github.com/Neilpang/acme.sh/wiki/%E8%AF%B4%E6%98%8E) |
25 | ||
6f1c72f5 | 26 | # Who are using **acme.sh** |
27 | - [FreeBSD.org](https://blog.crashed.org/letsencrypt-in-freebsd-org/) | |
28 | - [ruby-china.org](https://ruby-china.org/topics/31983) | |
29 | - [Proxmox](https://pve.proxmox.com/wiki/HTTPS_Certificate_Configuration_(Version_4.x_and_newer)) | |
30 | - [pfsense](https://github.com/pfsense/FreeBSD-ports/pull/89) | |
31 | - [webfaction](https://community.webfaction.com/questions/19988/using-letsencrypt) | |
32 | - [Loadbalancer.org](https://www.loadbalancer.org/blog/loadbalancer-org-with-lets-encrypt-quick-and-dirty) | |
33 | - [discourse.org](https://meta.discourse.org/t/setting-up-lets-encrypt/40709) | |
34 | - [Centminmod](http://centminmod.com/letsencrypt-acmetool-https.html) | |
35 | - [splynx](https://forum.splynx.com/t/free-ssl-cert-for-splynx-lets-encrypt/297) | |
36 | - [archlinux](https://aur.archlinux.org/packages/acme.sh-git/) | |
9cf65e31 | 37 | - [opnsense.org](https://github.com/opnsense/plugins/tree/master/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient) |
63ec05a6 | 38 | - [more...](https://github.com/Neilpang/acme.sh/wiki/Blogs-and-tutorials) |
1bb90298 AL |
39 | |
40 | # Tested OS | |
41 | ||
daf56504 | 42 | | NO | Status| Platform| |
43 | |----|-------|---------| | |
620f8613 | 44 | |1|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/ubuntu-latest.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)| Ubuntu |
45 | |2|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/debian-latest.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)| Debian | |
46 | |3|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/centos-latest.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|CentOS | |
990d46d6 | 47 | |4|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/windows-cygwin.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|Windows (cygwin with curl, openssl and crontab included) |
620f8613 | 48 | |5|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/freebsd.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|FreeBSD |
49 | |6|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/pfsense.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|pfsense | |
50 | |7|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/opensuse-latest.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|openSUSE | |
51 | |8|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/alpine-latest.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|Alpine Linux (with curl) | |
52 | |9|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/base-archlinux.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|Archlinux | |
53 | |10|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/fedora-latest.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|fedora | |
54 | |11|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/kalilinux-kali-linux-docker.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|Kali Linux | |
55 | |12|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/oraclelinux-latest.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|Oracle Linux | |
56 | |13|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/proxmox.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)| Proxmox https://pve.proxmox.com/wiki/HTTPSCertificateConfiguration#Let.27s_Encrypt_using_acme.sh | |
63c6a3b0 | 57 | |14|-----| Cloud Linux https://github.com/Neilpang/le/issues/111 |
620f8613 | 58 | |15|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/openbsd.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|OpenBSD |
199067e8 | 59 | |16|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/mageia.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|Mageia |
3ad08e95 | 60 | |17|-----| OpenWRT: Tested and working. See [wiki page](https://github.com/Neilpang/acme.sh/wiki/How-to-run-on-OpenWRT) |
527dd31c | 61 | |18|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/solaris.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|SunOS/Solaris |
5961d443 | 62 | |19|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/gentoo-stage3-amd64.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|Gentoo Linux |
b28a3db3 | 63 | |20|[![Build Status](https://travis-ci.org/Neilpang/acme.sh.svg?branch=master)](https://travis-ci.org/Neilpang/acme.sh)|Mac OSX |
6c0ab5d2 | 64 | |
aa66dfff | 65 | For all build statuses, check our [weekly build project](https://github.com/Neilpang/acmetest): |
6c0ab5d2 | 66 | |
6cc11ffb | 67 | https://github.com/Neilpang/acmetest |
07f4ec4f | 68 | |
2b45dba5 | 69 | |
1bb90298 | 70 | # Supported modes |
2c75b3fd | 71 | |
1bb90298 AL |
72 | - Webroot mode |
73 | - Standalone mode | |
74 | - Apache mode | |
7db28745 | 75 | - Nginx mode ( Beta ) |
1bb90298 | 76 | - DNS mode |
7c488b59 | 77 | - [Stateless mode](https://github.com/Neilpang/acme.sh/wiki/Stateless-Mode) |
2b45dba5 | 78 | |
e8cce73a | 79 | |
df1c9d88 | 80 | # 1. How to install |
6c0ab5d2 | 81 | |
1bb90298 | 82 | ### 1. Install online |
6c0ab5d2 | 83 | |
5bdad844 | 84 | Check this project: https://github.com/Neilpang/get.acme.sh |
b0515cf8 | 85 | |
2b45dba5 | 86 | ```bash |
99dc89c0 | 87 | curl https://get.acme.sh | sh |
90dda23f | 88 | ``` |
89 | ||
90 | Or: | |
2b45dba5 SF |
91 | |
92 | ```bash | |
99dc89c0 | 93 | wget -O - https://get.acme.sh | sh |
90dda23f | 94 | ``` |
95 | ||
96 | ||
1bb90298 | 97 | ### 2. Or, Install from git |
2b45dba5 | 98 | |
1bb90298 | 99 | Clone this project and launch installation: |
2b45dba5 SF |
100 | |
101 | ```bash | |
6cc11ffb | 102 | git clone https://github.com/Neilpang/acme.sh.git |
2b45dba5 | 103 | cd ./acme.sh |
6cc11ffb | 104 | ./acme.sh --install |
6c0ab5d2 | 105 | ``` |
90dda23f | 106 | |
2b45dba5 SF |
107 | You `don't have to be root` then, although `it is recommended`. |
108 | ||
1bb90298 | 109 | Advanced Installation: https://github.com/Neilpang/acme.sh/wiki/How-to-install |
d9ded9f3 | 110 | |
2b45dba5 | 111 | The installer will perform 3 actions: |
7a894c4c | 112 | |
1bb90298 AL |
113 | 1. Create and copy `acme.sh` to your home dir (`$HOME`): `~/.acme.sh/`. |
114 | All certs will be placed in this folder too. | |
115 | 2. Create alias for: `acme.sh=~/.acme.sh/acme.sh`. | |
116 | 3. Create daily cron job to check and renew the certs if needed. | |
2b45dba5 SF |
117 | |
118 | Cron entry example: | |
119 | ||
120 | ```bash | |
121 | 0 0 * * * "/home/user/.acme.sh"/acme.sh --cron --home "/home/user/.acme.sh" > /dev/null | |
122 | ``` | |
acc1e53a | 123 | |
1bb90298 AL |
124 | After the installation, you must close the current terminal and reopen it to make the alias take effect. |
125 | ||
126 | Ok, you are ready to issue certs now. | |
acc1e53a | 127 | |
6c0ab5d2 | 128 | Show help message: |
2b45dba5 | 129 | |
6c0ab5d2 | 130 | ``` |
39c8f79f | 131 | root@v1:~# acme.sh -h |
6c0ab5d2 | 132 | ``` |
1bb90298 AL |
133 | |
134 | # 2. Just issue a cert | |
2400e41f | 135 | |
2b45dba5 | 136 | **Example 1:** Single domain. |
2400e41f | 137 | |
2b45dba5 | 138 | ```bash |
caa2e45a | 139 | acme.sh --issue -d example.com -w /home/wwwroot/example.com |
6c0ab5d2 | 140 | ``` |
2b45dba5 | 141 | |
4c38fec3 | 142 | or: |
143 | ||
144 | ```bash | |
145 | acme.sh --issue -d example.com -w /home/username/public_html | |
146 | ``` | |
147 | ||
148 | or: | |
149 | ||
150 | ```bash | |
151 | acme.sh --issue -d example.com -w /var/www/html | |
152 | ``` | |
153 | ||
2b45dba5 SF |
154 | **Example 2:** Multiple domains in the same cert. |
155 | ||
156 | ```bash | |
1bb90298 | 157 | acme.sh --issue -d example.com -d www.example.com -d cp.example.com -w /home/wwwroot/example.com |
6c0ab5d2 | 158 | ``` |
2400e41f | 159 | |
4c38fec3 | 160 | The parameter `/home/wwwroot/example.com` or `/home/username/public_html` or `/var/www/html` is the web root folder where you host your website files. You **MUST** have `write access` to this folder. |
6c0ab5d2 | 161 | |
1bb90298 AL |
162 | Second argument **"example.com"** is the main domain you want to issue the cert for. |
163 | You must have at least one domain there. | |
6c0ab5d2 | 164 | |
caa2e45a | 165 | You must point and bind all the domains to the same webroot dir: `/home/wwwroot/example.com`. |
6c0ab5d2 | 166 | |
1bb90298 | 167 | Generated/issued certs will be placed in `~/.acme.sh/example.com/` |
6c0ab5d2 | 168 | |
1bb90298 | 169 | The issued cert will be renewed automatically every **60** days. |
6c0ab5d2 | 170 | |
6cc11ffb | 171 | More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert |
a63b05a9 | 172 | |
173 | ||
1bb90298 | 174 | # 3. Install the issued cert to Apache/Nginx etc. |
a63b05a9 | 175 | |
1bb90298 AL |
176 | After you issue a cert, you probably want to install/copy the cert to your Apache/Nginx or other servers. |
177 | You **MUST** use this command to copy the certs to the target files, **DO NOT** use the certs files in **~/.acme.sh/** folder, they are for internal use only, the folder structure may change in the future. | |
2b45dba5 | 178 | |
1bb90298 | 179 | **Apache** example: |
2b45dba5 | 180 | ```bash |
cd9c3a79 | 181 | acme.sh --install-cert -d example.com \ |
5c539af7 | 182 | --cert-file /path/to/certfile/in/apache/cert.pem \ |
183 | --key-file /path/to/keyfile/in/apache/key.pem \ | |
184 | --fullchain-file /path/to/fullchain/certfile/apache/fullchain.pem \ | |
4743171b | 185 | --reloadcmd "service apache2 force-reload" |
3c33cdfa | 186 | ``` |
187 | ||
1bb90298 | 188 | **Nginx** example: |
3c33cdfa | 189 | ```bash |
cd9c3a79 | 190 | acme.sh --install-cert -d example.com \ |
5c539af7 | 191 | --key-file /path/to/keyfile/in/nginx/key.pem \ |
192 | --fullchain-file /path/to/fullchain/nginx/cert.pem \ | |
4743171b | 193 | --reloadcmd "service nginx force-reload" |
6c0ab5d2 | 194 | ``` |
7a894c4c | 195 | |
a63b05a9 | 196 | Only the domain is required, all the other parameters are optional. |
197 | ||
fe600441 GL |
198 | The ownership and permission info of existing files are preserved. You may want to precreate the files to have defined ownership and permission. |
199 | ||
1bb90298 AL |
200 | Install/copy the issued cert/key to the production Apache or Nginx path. |
201 | ||
61852447 | 202 | The cert will be renewed every **60** days by default (which is configurable). Once the cert is renewed, the Apache/Nginx service will be reloaded automatically by the command: `service apache2 force-reload` or `service nginx force-reload`. |
7a894c4c | 203 | |
6c0ab5d2 | 204 | |
df1c9d88 | 205 | # 4. Use Standalone server to issue cert |
6c0ab5d2 | 206 | |
1bb90298 | 207 | **(requires you to be root/sudoer or have permission to listen on port 80 (TCP))** |
072290f2 | 208 | |
1bb90298 | 209 | Port `80` (TCP) **MUST** be free to listen on, otherwise you will be prompted to free it and try again. |
2b45dba5 SF |
210 | |
211 | ```bash | |
caa2e45a | 212 | acme.sh --issue --standalone -d example.com -d www.example.com -d cp.example.com |
072290f2 N |
213 | ``` |
214 | ||
6cc11ffb | 215 | More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert |
a63b05a9 | 216 | |
e22bcf7c | 217 | |
1bb90298 AL |
218 | # 5. Use Standalone TLS server to issue cert |
219 | ||
220 | **(requires you to be root/sudoer or have permission to listen on port 443 (TCP))** | |
e22bcf7c | 221 | |
222 | acme.sh supports `tls-sni-01` validation. | |
223 | ||
1bb90298 | 224 | Port `443` (TCP) **MUST** be free to listen on, otherwise you will be prompted to free it and try again. |
e22bcf7c | 225 | |
226 | ```bash | |
caa2e45a | 227 | acme.sh --issue --tls -d example.com -d www.example.com -d cp.example.com |
e22bcf7c | 228 | ``` |
229 | ||
230 | More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert | |
231 | ||
1bb90298 | 232 | |
df1c9d88 | 233 | # 6. Use Apache mode |
2b45dba5 | 234 | |
1bb90298 | 235 | **(requires you to be root/sudoer, since it is required to interact with Apache server)** |
2b45dba5 | 236 | |
1bb90298 | 237 | If you are running a web server, Apache or Nginx, it is recommended to use the `Webroot mode`. |
a63b05a9 | 238 | |
1bb90298 | 239 | Particularly, if you are running an Apache server, you should use Apache mode instead. This mode doesn't write any files to your web root folder. |
2c75b3fd | 240 | |
1bb90298 | 241 | Just set string "apache" as the second argument and it will force use of apache plugin automatically. |
2c75b3fd | 242 | |
243 | ``` | |
1bb90298 | 244 | acme.sh --issue --apache -d example.com -d www.example.com -d cp.example.com |
2c75b3fd | 245 | ``` |
a63b05a9 | 246 | |
6cc11ffb | 247 | More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert |
2c75b3fd | 248 | |
9d725af6 | 249 | # 7. Use Nginx mode |
1bb90298 | 250 | |
9d725af6 | 251 | **(requires you to be root/sudoer, since it is required to interact with Nginx server)** |
252 | ||
253 | If you are running a web server, Apache or Nginx, it is recommended to use the `Webroot mode`. | |
254 | ||
255 | Particularly, if you are running an nginx server, you can use nginx mode instead. This mode doesn't write any files to your web root folder. | |
256 | ||
257 | Just set string "nginx" as the second argument. | |
258 | ||
259 | It will configure nginx server automatically to verify the domain and then restore the nginx config to the original version. | |
260 | ||
261 | So, the config is not changed. | |
262 | ||
263 | ``` | |
264 | acme.sh --issue --nginx -d example.com -d www.example.com -d cp.example.com | |
265 | ``` | |
266 | ||
267 | More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert | |
268 | ||
269 | # 8. Use DNS mode: | |
a947dbc6 | 270 | |
2b45dba5 SF |
271 | Support the `dns-01` challenge. |
272 | ||
273 | ```bash | |
1bb90298 | 274 | acme.sh --issue --dns -d example.com -d www.example.com -d cp.example.com |
a947dbc6 N |
275 | ``` |
276 | ||
1bb90298 | 277 | You should get an output like below: |
2b45dba5 | 278 | |
a947dbc6 N |
279 | ``` |
280 | Add the following txt record: | |
caa2e45a | 281 | Domain:_acme-challenge.example.com |
a947dbc6 N |
282 | Txt value:9ihDbjYfTExAYeDs4DBUeuTo18KBzwvTEjUnSwd32-c |
283 | ||
284 | Add the following txt record: | |
caa2e45a | 285 | Domain:_acme-challenge.www.example.com |
a947dbc6 | 286 | Txt value:9ihDbjxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx |
a947dbc6 N |
287 | |
288 | Please add those txt records to the domains. Waiting for the dns to take effect. | |
a947dbc6 | 289 | ``` |
2b45dba5 SF |
290 | |
291 | Then just rerun with `renew` argument: | |
292 | ||
293 | ```bash | |
caa2e45a | 294 | acme.sh --renew -d example.com |
a947dbc6 N |
295 | ``` |
296 | ||
297 | Ok, it's finished. | |
298 | ||
7d2b6cfe | 299 | **Take care, this is dns manual mode, it can not be renewed automatically. you will have to add a new txt record to your domain by your hand when you renew your cert.** |
300 | ||
301 | **Please use dns api mode instead.** | |
1bb90298 | 302 | |
9d725af6 | 303 | # 9. Automatic DNS API integration |
a947dbc6 | 304 | |
1bb90298 | 305 | If your DNS provider supports API access, we can use that API to automatically issue the certs. |
6c0ab5d2 | 306 | |
1bb90298 | 307 | You don't have to do anything manually! |
ab497961 | 308 | |
2b45dba5 | 309 | ### Currently acme.sh supports: |
855d9499 | 310 | |
9c174758 | 311 | 1. CloudFlare.com API |
312 | 1. DNSPod.cn API | |
313 | 1. CloudXNS.com API | |
314 | 1. GoDaddy.com API | |
9c174758 | 315 | 1. PowerDNS.com API |
9bc5f686 | 316 | 1. OVH, kimsufi, soyoustart and runabove API |
317 | 1. nsupdate API | |
9c174758 | 318 | 1. LuaDNS.com API |
319 | 1. DNSMadeEasy.com API | |
9bc5f686 | 320 | 1. AWS Route 53 |
be39ab32 | 321 | 1. aliyun.com(阿里云) API |
192ede5e | 322 | 1. ISPConfig 3.1 API |
b2686e5b | 323 | 1. Alwaysdata.com API |
38f23343 | 324 | 1. Linode.com API |
e6b940e2 | 325 | 1. FreeDNS (https://freedns.afraid.org/) |
edfefb67 | 326 | 1. cyon.ch |
3d6a125b | 327 | 1. Domain-Offensive/Resellerinterface/Domainrobot API |
fab2d9dc | 328 | 1. Gandi LiveDNS API |
9c87a589 | 329 | 1. Knot DNS API |
ac690fce | 330 | 1. DigitalOcean API (native) |
3e9478b5 | 331 | 1. ClouDNS.net API |
4ddafb8e | 332 | 1. Infoblox NIOS API (https://www.infoblox.com/) |
9cf65e31 | 333 | 1. VSCALE (https://vscale.io/) |
66e38ae6 | 334 | 1. Dynu API (https://www.dynu.com) |
9bc5f686 | 335 | 1. DNSimple API |
5e3a5f62 | 336 | 1. NS1.com API |
1a504118 R |
337 | 1. DuckDNS.org API |
338 | 1. Name.com API | |
1bb90298 | 339 | |
9bc5f686 | 340 | |
341 | And: | |
342 | ||
343 | 1. lexicon DNS API: https://github.com/Neilpang/acme.sh/wiki/How-to-use-lexicon-dns-api | |
344 | (DigitalOcean, DNSimple, DNSMadeEasy, DNSPark, EasyDNS, Namesilo, NS1, PointHQ, Rage4 and Vultr etc.) | |
345 | ||
346 | ||
347 | ||
1bb90298 | 348 | **More APIs coming soon...** |
ab497961 | 349 | |
1bb90298 | 350 | If your DNS provider is not on the supported list above, you can write your own DNS API script easily. If you do, please consider submitting a [Pull Request](https://github.com/Neilpang/acme.sh/pulls) and contribute it to the project. |
ab497961 | 351 | |
1bb90298 | 352 | For more details: [How to use DNS API](dnsapi) |
ab497961 | 353 | |
354 | ||
9d725af6 | 355 | # 10. Issue ECC certificates |
2b45dba5 | 356 | |
1bb90298 | 357 | `Let's Encrypt` can now issue **ECDSA** certificates. |
2b45dba5 | 358 | |
1bb90298 | 359 | And we support them too! |
1add47a6 | 360 | |
8b92aab7 | 361 | Just set the `length` parameter with a prefix `ec-`. |
2b45dba5 | 362 | |
1add47a6 | 363 | For example: |
9e6c4208 | 364 | |
bcbecff6 | 365 | ### Single domain ECC certificate |
9e6c4208 | 366 | |
2b45dba5 | 367 | ```bash |
1bb90298 | 368 | acme.sh --issue -w /home/wwwroot/example.com -d example.com --keylength ec-256 |
1add47a6 | 369 | ``` |
2b45dba5 | 370 | |
1bb90298 | 371 | ### SAN multi domain ECC certificate |
2b45dba5 SF |
372 | |
373 | ```bash | |
1bb90298 | 374 | acme.sh --issue -w /home/wwwroot/example.com -d example.com -d www.example.com --keylength ec-256 |
9e6c4208 N |
375 | ``` |
376 | ||
1add47a6 | 377 | Please look at the last parameter above. |
378 | ||
379 | Valid values are: | |
380 | ||
2b45dba5 SF |
381 | 1. **ec-256 (prime256v1, "ECDSA P-256")** |
382 | 2. **ec-384 (secp384r1, "ECDSA P-384")** | |
383 | 3. **ec-521 (secp521r1, "ECDSA P-521", which is not supported by Let's Encrypt yet.)** | |
1add47a6 | 384 | |
df1c9d88 | 385 | |
9d725af6 | 386 | # 11. How to renew the issued certs |
df1c9d88 | 387 | |
1bb90298 | 388 | No, you don't need to renew the certs manually. All the certs will be renewed automatically every **60** days. |
df1c9d88 | 389 | |
390 | However, you can also force to renew any cert: | |
391 | ||
392 | ``` | |
1bb90298 | 393 | acme.sh --renew -d example.com --force |
df1c9d88 | 394 | ``` |
395 | ||
396 | or, for ECC cert: | |
1bb90298 | 397 | |
df1c9d88 | 398 | ``` |
1bb90298 | 399 | acme.sh --renew -d example.com --force --ecc |
df1c9d88 | 400 | ``` |
401 | ||
1bb90298 | 402 | |
9d725af6 | 403 | # 12. How to upgrade `acme.sh` |
1bb90298 | 404 | |
329174b6 | 405 | acme.sh is in constant development, so it's strongly recommended to use the latest code. |
df1c9d88 | 406 | |
407 | You can update acme.sh to the latest code: | |
1bb90298 | 408 | |
df1c9d88 | 409 | ``` |
410 | acme.sh --upgrade | |
411 | ``` | |
412 | ||
1bb90298 AL |
413 | You can also enable auto upgrade: |
414 | ||
59649e9b | 415 | ``` |
1bb90298 | 416 | acme.sh --upgrade --auto-upgrade |
59649e9b | 417 | ``` |
1bb90298 AL |
418 | |
419 | Then **acme.sh** will be kept up to date automatically. | |
59649e9b | 420 | |
421 | Disable auto upgrade: | |
1bb90298 | 422 | |
59649e9b | 423 | ``` |
1bb90298 | 424 | acme.sh --upgrade --auto-upgrade 0 |
59649e9b | 425 | ``` |
426 | ||
1bb90298 | 427 | |
9d725af6 | 428 | # 13. Issue a cert from an existing CSR |
8371b030 | 429 | |
430 | https://github.com/Neilpang/acme.sh/wiki/Issue-a-cert-from-existing-CSR | |
431 | ||
432 | ||
cb6f6229 | 433 | # 14. Under the Hood |
6c0ab5d2 | 434 | |
99dc89c0 | 435 | Speak ACME language using shell, directly to "Let's Encrypt". |
6c0ab5d2 N |
436 | |
437 | TODO: | |
438 | ||
1bb90298 | 439 | |
cb6f6229 | 440 | # 15. Acknowledgments |
1bb90298 | 441 | |
63f04675 N |
442 | 1. Acme-tiny: https://github.com/diafygi/acme-tiny |
443 | 2. ACME protocol: https://github.com/ietf-wg-acme/acme | |
4e1f39cd | 444 | 3. Certbot: https://github.com/certbot/certbot |
63f04675 | 445 | |
1bb90298 | 446 | |
cb6f6229 | 447 | # 16. License & Others |
6c0ab5d2 N |
448 | |
449 | License is GPLv3 | |
450 | ||
1d06c947 | 451 | Please Star and Fork me. |
6c0ab5d2 | 452 | |
1bb90298 | 453 | [Issues](https://github.com/Neilpang/acme.sh/issues) and [pull requests](https://github.com/Neilpang/acme.sh/pulls) are welcome. |
6c0ab5d2 N |
454 | |
455 | ||
cb6f6229 | 456 | # 17. Donate |
457 | Your donation makes **acme.sh** better: | |
6c0ab5d2 | 458 | |
43d3b51b | 459 | 1. PayPal/Alipay(支付宝)/Wechat(微信): [https://donate.acme.sh/](https://donate.acme.sh/) |
460 | ||
1bb90298 | 461 | [Donate List](https://github.com/Neilpang/acme.sh/wiki/Donate-list) |