[mirror_acme.sh.git] / README.md

# An ACME Shell script: acme.sh
- An ACME protocol client written purely in Shell (Unix shell) language.
- Fully ACME protocol implementation.
- Simple, powerful and very easy to use. You only need 3 minutes to learn.
- Bash, dash and sh compatible. 
- Simplest shell script for Let's Encrypt free certificate client.
- Purely written in Shell with no dependencies on python or Let's Encrypt official client.
- Just one script, to issue, renew and install your certificates automatically.
- DOES NOT require `root/sudoer` access.

It's probably the `easiest&smallest&smartest` shell script to automatically issue & renew the free certificates from Let's Encrypt.


Wiki: https://github.com/Neilpang/acme.sh/wiki

# [中文说明](https://github.com/Neilpang/acme.sh/wiki/%E8%AF%B4%E6%98%8E)

#Tested OS
| NO | Status| Platform|
|----|-------|---------|
|1|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/ubuntu-latest.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)| Ubuntu
|2|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/debian-latest.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)| Debian
|3|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/centos-latest.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|CentOS
|4|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/windows-cygwin.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|Windows (cygwin with curl, openssl and crontab included)
|5|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/freebsd.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|FreeBSD
|6|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/pfsense.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|pfsense
|7|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/opensuse-latest.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|openSUSE
|8|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/alpine-latest.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|Alpine Linux (with curl)
|9|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/base-archlinux.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|Archlinux
|10|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/fedora-latest.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|fedora
|11|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/kalilinux-kali-linux-docker.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|Kali Linux
|12|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/oraclelinux-latest.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|Oracle Linux
|13|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/proxmox.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)| Proxmox https://pve.proxmox.com/wiki/HTTPSCertificateConfiguration#Let.27s_Encrypt_using_acme.sh
|14|-----| Cloud Linux  https://github.com/Neilpang/le/issues/111
|15|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/openbsd.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|OpenBSD
|16|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/mageia.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|Mageia
|17|-----| OpenWRT: Tested and working. See [wiki page](https://github.com/Neilpang/acme.sh/wiki/How-to-run-on-OpenWRT)
|18|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/solaris.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|SunOS/Solaris
|18|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/gentoo-stage3-amd64.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|Gentoo Linux

For all build statuses, check our [daily build project](https://github.com/Neilpang/acmetest): 

https://github.com/Neilpang/acmetest

# Supported Mode

1. Webroot mode
2. Standalone mode
3. Apache mode
4. Dns mode


# 1. How to install

### 1. Install online:

Check this project: https://github.com/Neilpang/get.acme.sh

```bash
curl https://get.acme.sh | sh

```

Or:

```bash
wget -O -  https://get.acme.sh | sh

```


### 2. Or, Install from git:

Clone this project: 

```bash
git clone https://github.com/Neilpang/acme.sh.git
cd ./acme.sh
./acme.sh --install
```

You `don't have to be root` then, although `it is recommended`.

Advanced Installation:  https://github.com/Neilpang/acme.sh/wiki/How-to-install

The installer will perform 3 actions:

1. Create and copy `acme.sh` to your home dir (`$HOME`):  `~/.acme.sh/`.
All certs will be placed in this folder.
2. Create alias for: `acme.sh=~/.acme.sh/acme.sh`. 
3. Create everyday cron job to check and renew the cert if needed.

Cron entry example:

```bash
0 0 * * * "/home/user/.acme.sh"/acme.sh --cron --home "/home/user/.acme.sh" > /dev/null
```

After the installation, you must close current terminal and reopen again to make the alias take effect.

Ok, you are ready to issue cert now.
Show help message:

```

root@v1:~# acme.sh -h

```
 
# 2. Just issue a cert:

**Example 1:** Single domain.

```bash
acme.sh --issue -d example.com -w /home/wwwroot/example.com
```

**Example 2:** Multiple domains in the same cert.

```bash
acme.sh --issue -d example.com -d www.example.com -d cp.example.com -w /home/wwwroot/example.com 
```

The parameter `/home/wwwroot/example.com` is the web root folder. You **MUST** have `write access` to this folder.

Second argument **"example.com"** is the main domain you want to issue cert for.
You must have at least a domain there.

You must point and bind all the domains to the same webroot dir: `/home/wwwroot/example.com`.

Generate/issued certs will be placed in `~/.acme.sh/example.com/`

The issued cert will be renewed every **60** days automatically.

More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert


# 3. Install the issued cert to apache/nginx etc.

After you issue a cert, you probably want to install/copy the cert to your nginx/apache or other servers you may be using.

```bash
acme.sh --installcert -d example.com \
--certpath /path/to/certfile/in/apache/nginx  \
--keypath  /path/to/keyfile/in/apache/nginx  \
--capath   /path/to/ca/certfile/apache/nginx   \
--fullchainpath path/to/fullchain/certfile/apache/nginx \
--reloadcmd  "service apache2|nginx reload"
```

Only the domain is required, all the other parameters are optional.

Install/copy the issued cert/key to the production apache or nginx path.

The cert will be `renewed every **60** days by default` (which is configurable). Once the cert is renewed, the apache/nginx will be automatically reloaded by the command: `service apache2 reload` or `service nginx reload`.

# 4. Use Standalone server to issue cert

**(requires you be root/sudoer, or you have permission to listen tcp 80 port)**

The tcp `80` port **MUST** be free to listen, otherwise you will be prompted to free the `80` port and try again.

```bash
acme.sh --issue --standalone -d example.com -d www.example.com -d cp.example.com
```

More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert

# 5. Use Standalone tls server to issue cert

**(requires you be root/sudoer, or you have permission to listen tcp 443 port)**

acme.sh supports `tls-sni-01` validation.

The tcp `443` port **MUST** be free to listen, otherwise you will be prompted to free the `443` port and try again.

```bash
acme.sh --issue --tls -d example.com -d www.example.com -d cp.example.com
```

More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert

# 6. Use Apache mode

**(requires you be root/sudoer, since it is required to interact with apache server)**

If you are running a web server, apache or nginx, it is recommended to use the `Webroot mode`.

Particularly, if you are running an apache server, you should use apache mode instead. This mode doesn't write any files to your web root folder.

Just set string "apache" as the second argument, it will force use of apache plugin automatically.

```
acme.sh --issue --apache -d example.com -d www.example.com -d user.example.com
```

More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert

# 7. Use DNS mode:

Support the `dns-01` challenge.

```bash
acme.sh --issue --dns -d example.com -d www.example.com -d user.example.com
```

You should get the output like below:

```
Add the following txt record:
Domain:_acme-challenge.example.com
Txt value:9ihDbjYfTExAYeDs4DBUeuTo18KBzwvTEjUnSwd32-c

Add the following txt record:
Domain:_acme-challenge.www.example.com
Txt value:9ihDbjxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Please add those txt records to the domains. Waiting for the dns to take effect.

```

Then just rerun with `renew` argument:

```bash
acme.sh --renew -d example.com
```

Ok, it's finished.

# 8. Automatic DNS API integration

If your DNS provider supports API access, we can use API to automatically issue the certs.

You don't have do anything manually!

### Currently acme.sh supports:

1. Cloudflare.com API
2. Dnspod.cn API
3. Cloudxns.com API
4. Godaddy.com API
5. OVH, kimsufi, soyoustart and runabove API
6. AWS Route 53, see: https://github.com/Neilpang/acme.sh/issues/65
7. PowerDNS API
8. lexicon dns api: https://github.com/Neilpang/acme.sh/wiki/How-to-use-lexicon-dns-api
   (DigitalOcean, DNSimple, DnsMadeEasy, DNSPark, EasyDNS, Namesilo, NS1, PointHQ, Rage4 and Vultr etc.)

##### More APIs are coming soon...

If your DNS provider is not on the supported list above, you can write your own script API easily. If you do please consider submitting a [Pull Request](https://github.com/Neilpang/acme.sh/pulls) and contribute to the project.

For more details: [How to use dns api](dnsapi)

# 9. Issue ECC certificate:

`Let's Encrypt` now can issue **ECDSA** certificates.

And we also support it.

Just set the `length` parameter with a prefix `ec-`.

For example:

### Single domain ECC cerfiticate:

```bash
acme.sh --issue -w /home/wwwroot/example.com -d example.com --keylength  ec-256
```

SAN multi domain ECC certificate:

```bash
acme.sh --issue -w /home/wwwroot/example.com -d example.com -d www.example.com --keylength  ec-256
```

Please look at the last parameter above.

Valid values are:

1. **ec-256 (prime256v1, "ECDSA P-256")**
2. **ec-384 (secp384r1,  "ECDSA P-384")**
3. **ec-521 (secp521r1,  "ECDSA P-521", which is not supported by Let's Encrypt yet.)**


# 10. How to renew the cert

No, you don't need to renew the certs manually.  All the certs will be renewed automatically every **60** days.

However, you can also force to renew any cert:

```
acme.sh --renew  -d  example.com --force
```

or, for ECC cert:
```
acme.sh --renew  -d  example.com  --force --ecc
```

# 11. How to upgrade `acme.sh`
acme.sh is in developing, it's strongly recommended to use the latest code.

You can update acme.sh to the latest code:
```
acme.sh --upgrade
```

You can enable auto upgrade:
```
acme.sh  --upgrade  --auto-upgrade
```
Then **acme.sh** will keep up to date automatically.

Disable auto upgrade:
```
acme.sh  --upgrade  --auto-upgrade 0
```

# 12. Issue a cert from an existing CSR

https://github.com/Neilpang/acme.sh/wiki/Issue-a-cert-from-existing-CSR


# Under the Hood

Speak ACME language using shell, directly to "Let's Encrypt".

TODO:

# Acknowledgment
1. Acme-tiny: https://github.com/diafygi/acme-tiny
2. ACME protocol: https://github.com/ietf-wg-acme/acme
3. Certbot: https://github.com/certbot/certbot

# License & Others

License is GPLv3

Please Star and Fork me.

[Issues](https://github.com/Neilpang/acme.sh/issues) and [pull requests](https://github.com/Neilpang/acme.sh/pulls) are welcomed.


# Donate
1. PayPal:  donate@acme.sh

[Donate List](https://github.com/Neilpang/acme.sh/wiki/Donate-list)
Commit	Line	Data
	1	# An ACME Shell script: acme.sh
	2	- An ACME protocol client written purely in Shell (Unix shell) language.
	3	- Fully ACME protocol implementation.
	4	- Simple, powerful and very easy to use. You only need 3 minutes to learn.
	5	- Bash, dash and sh compatible.
	6	- Simplest shell script for Let's Encrypt free certificate client.
	7	- Purely written in Shell with no dependencies on python or Let's Encrypt official client.
	8	- Just one script, to issue, renew and install your certificates automatically.
	9	- DOES NOT require `root/sudoer` access.
	10
	11	It's probably the `easiest&smallest&smartest` shell script to automatically issue & renew the free certificates from Let's Encrypt.
	12
	13
	14	Wiki: https://github.com/Neilpang/acme.sh/wiki
	15
	16	# [中文说明](https://github.com/Neilpang/acme.sh/wiki/%E8%AF%B4%E6%98%8E)
	17
	18	#Tested OS
	19	\| NO \| Status\| Platform\|
	20	\|----\|-------\|---------\|
	21	\|1\|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/ubuntu-latest.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)\| Ubuntu
	22	\|2\|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/debian-latest.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)\| Debian
	23	\|3\|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/centos-latest.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)\|CentOS
	24	\|4\|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/windows-cygwin.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)\|Windows (cygwin with curl, openssl and crontab included)
	25	\|5\|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/freebsd.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)\|FreeBSD
	26	\|6\|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/pfsense.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)\|pfsense
	27	\|7\|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/opensuse-latest.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)\|openSUSE
	28	\|8\|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/alpine-latest.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)\|Alpine Linux (with curl)
	29	\|9\|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/base-archlinux.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)\|Archlinux
	30	\|10\|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/fedora-latest.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)\|fedora
	31	\|11\|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/kalilinux-kali-linux-docker.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)\|Kali Linux
	32	\|12\|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/oraclelinux-latest.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)\|Oracle Linux
	33	\|13\|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/proxmox.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)\| Proxmox https://pve.proxmox.com/wiki/HTTPSCertificateConfiguration#Let.27s_Encrypt_using_acme.sh
	34	\|14\|-----\| Cloud Linux https://github.com/Neilpang/le/issues/111
	35	\|15\|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/openbsd.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)\|OpenBSD
	36	\|16\|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/mageia.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)\|Mageia
	37	\|17\|-----\| OpenWRT: Tested and working. See [wiki page](https://github.com/Neilpang/acme.sh/wiki/How-to-run-on-OpenWRT)
	38	\|18\|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/solaris.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)\|SunOS/Solaris
	39	\|18\|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/gentoo-stage3-amd64.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)\|Gentoo Linux
	40
	41	For all build statuses, check our [daily build project](https://github.com/Neilpang/acmetest):
	42
	43	https://github.com/Neilpang/acmetest
	44
	45	# Supported Mode
	46
	47	1. Webroot mode
	48	2. Standalone mode
	49	3. Apache mode
	50	4. Dns mode
	51
	52
	53
	54	# 1. How to install
	55
	56	### 1. Install online:
	57
	58	Check this project: https://github.com/Neilpang/get.acme.sh
	59
	60	```bash
	61	curl https://get.acme.sh \| sh
	62
	63	```
	64
	65	Or:
	66
	67	```bash
	68	wget -O - https://get.acme.sh \| sh
	69
	70	```
	71
	72
	73	### 2. Or, Install from git:
	74
	75	Clone this project:
	76
	77	```bash
	78	git clone https://github.com/Neilpang/acme.sh.git
	79	cd ./acme.sh
	80	./acme.sh --install
	81	```
	82
	83	You `don't have to be root` then, although `it is recommended`.
	84
	85	Advanced Installation: https://github.com/Neilpang/acme.sh/wiki/How-to-install
	86
	87	The installer will perform 3 actions:
	88
	89	1. Create and copy `acme.sh` to your home dir (`$HOME`): `~/.acme.sh/`.
	90	All certs will be placed in this folder.
	91	2. Create alias for: `acme.sh=~/.acme.sh/acme.sh`.
	92	3. Create everyday cron job to check and renew the cert if needed.
	93
	94	Cron entry example:
	95
	96	```bash
	97	0 0 * * * "/home/user/.acme.sh"/acme.sh --cron --home "/home/user/.acme.sh" > /dev/null
	98	```
	99
	100	After the installation, you must close current terminal and reopen again to make the alias take effect.
	101
	102	Ok, you are ready to issue cert now.
	103	Show help message:
	104
	105	```
	106
	107	root@v1:~# acme.sh -h
	108
	109	```
	110
	111	# 2. Just issue a cert:
	112
	113	Example 1: Single domain.
	114
	115	```bash
	116	acme.sh --issue -d example.com -w /home/wwwroot/example.com
	117	```
	118
	119	Example 2: Multiple domains in the same cert.
	120
	121	```bash
	122	acme.sh --issue -d example.com -d www.example.com -d cp.example.com -w /home/wwwroot/example.com
	123	```
	124
	125	The parameter `/home/wwwroot/example.com` is the web root folder. You MUST have `write access` to this folder.
	126
	127	Second argument "example.com" is the main domain you want to issue cert for.
	128	You must have at least a domain there.
	129
	130	You must point and bind all the domains to the same webroot dir: `/home/wwwroot/example.com`.
	131
	132	Generate/issued certs will be placed in `~/.acme.sh/example.com/`
	133
	134	The issued cert will be renewed every 60 days automatically.
	135
	136	More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert
	137
	138
	139	# 3. Install the issued cert to apache/nginx etc.
	140
	141	After you issue a cert, you probably want to install/copy the cert to your nginx/apache or other servers you may be using.
	142
	143	```bash
	144	acme.sh --installcert -d example.com \
	145	--certpath /path/to/certfile/in/apache/nginx \
	146	--keypath /path/to/keyfile/in/apache/nginx \
	147	--capath /path/to/ca/certfile/apache/nginx \
	148	--fullchainpath path/to/fullchain/certfile/apache/nginx \
	149	--reloadcmd "service apache2\|nginx reload"
	150	```
	151
	152	Only the domain is required, all the other parameters are optional.
	153
	154	Install/copy the issued cert/key to the production apache or nginx path.
	155
	156	The cert will be `renewed every 60 days by default` (which is configurable). Once the cert is renewed, the apache/nginx will be automatically reloaded by the command: `service apache2 reload` or `service nginx reload`.
	157
	158	# 4. Use Standalone server to issue cert
	159
	160	(requires you be root/sudoer, or you have permission to listen tcp 80 port)
	161
	162	The tcp `80` port MUST be free to listen, otherwise you will be prompted to free the `80` port and try again.
	163
	164	```bash
	165	acme.sh --issue --standalone -d example.com -d www.example.com -d cp.example.com
	166	```
	167
	168	More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert
	169
	170	# 5. Use Standalone tls server to issue cert
	171
	172	(requires you be root/sudoer, or you have permission to listen tcp 443 port)
	173
	174	acme.sh supports `tls-sni-01` validation.
	175
	176	The tcp `443` port MUST be free to listen, otherwise you will be prompted to free the `443` port and try again.
	177
	178	```bash
	179	acme.sh --issue --tls -d example.com -d www.example.com -d cp.example.com
	180	```
	181
	182	More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert
	183
	184	# 6. Use Apache mode
	185
	186	(requires you be root/sudoer, since it is required to interact with apache server)
	187
	188	If you are running a web server, apache or nginx, it is recommended to use the `Webroot mode`.
	189
	190	Particularly, if you are running an apache server, you should use apache mode instead. This mode doesn't write any files to your web root folder.
	191
	192	Just set string "apache" as the second argument, it will force use of apache plugin automatically.
	193
	194	```
	195	acme.sh --issue --apache -d example.com -d www.example.com -d user.example.com
	196	```
	197
	198	More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert
	199
	200	# 7. Use DNS mode:
	201
	202	Support the `dns-01` challenge.
	203
	204	```bash
	205	acme.sh --issue --dns -d example.com -d www.example.com -d user.example.com
	206	```
	207
	208	You should get the output like below:
	209
	210	```
	211	Add the following txt record:
	212	Domain:_acme-challenge.example.com
	213	Txt value:9ihDbjYfTExAYeDs4DBUeuTo18KBzwvTEjUnSwd32-c
	214
	215	Add the following txt record:
	216	Domain:_acme-challenge.www.example.com
	217	Txt value:9ihDbjxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
	218
	219	Please add those txt records to the domains. Waiting for the dns to take effect.
	220
	221	```
	222
	223	Then just rerun with `renew` argument:
	224
	225	```bash
	226	acme.sh --renew -d example.com
	227	```
	228
	229	Ok, it's finished.
	230
	231	# 8. Automatic DNS API integration
	232
	233	If your DNS provider supports API access, we can use API to automatically issue the certs.
	234
	235	You don't have do anything manually!
	236
	237	### Currently acme.sh supports:
	238
	239	1. Cloudflare.com API
	240	2. Dnspod.cn API
	241	3. Cloudxns.com API
	242	4. Godaddy.com API
	243	5. OVH, kimsufi, soyoustart and runabove API
	244	6. AWS Route 53, see: https://github.com/Neilpang/acme.sh/issues/65
	245	7. PowerDNS API
	246	8. lexicon dns api: https://github.com/Neilpang/acme.sh/wiki/How-to-use-lexicon-dns-api
	247	(DigitalOcean, DNSimple, DnsMadeEasy, DNSPark, EasyDNS, Namesilo, NS1, PointHQ, Rage4 and Vultr etc.)
	248
	249	##### More APIs are coming soon...
	250
	251	If your DNS provider is not on the supported list above, you can write your own script API easily. If you do please consider submitting a [Pull Request](https://github.com/Neilpang/acme.sh/pulls) and contribute to the project.
	252
	253	For more details: [How to use dns api](dnsapi)
	254
	255	# 9. Issue ECC certificate:
	256
	257	`Let's Encrypt` now can issue ECDSA certificates.
	258
	259	And we also support it.
	260
	261	Just set the `length` parameter with a prefix `ec-`.
	262
	263	For example:
	264
	265	### Single domain ECC cerfiticate:
	266
	267	```bash
	268	acme.sh --issue -w /home/wwwroot/example.com -d example.com --keylength ec-256
	269	```
	270
	271	SAN multi domain ECC certificate:
	272
	273	```bash
	274	acme.sh --issue -w /home/wwwroot/example.com -d example.com -d www.example.com --keylength ec-256
	275	```
	276
	277	Please look at the last parameter above.
	278
	279	Valid values are:
	280
	281	1. ec-256 (prime256v1, "ECDSA P-256")
	282	2. ec-384 (secp384r1, "ECDSA P-384")
	283	3. ec-521 (secp521r1, "ECDSA P-521", which is not supported by Let's Encrypt yet.)
	284
	285
	286	# 10. How to renew the cert
	287
	288	No, you don't need to renew the certs manually. All the certs will be renewed automatically every 60 days.
	289
	290	However, you can also force to renew any cert:
	291
	292	```
	293	acme.sh --renew -d example.com --force
	294	```
	295
	296	or, for ECC cert:
	297	```
	298	acme.sh --renew -d example.com --force --ecc
	299	```
	300
	301	# 11. How to upgrade `acme.sh`
	302	acme.sh is in developing, it's strongly recommended to use the latest code.
	303
	304	You can update acme.sh to the latest code:
	305	```
	306	acme.sh --upgrade
	307	```
	308
	309	You can enable auto upgrade:
	310	```
	311	acme.sh --upgrade --auto-upgrade
	312	```
	313	Then acme.sh will keep up to date automatically.
	314
	315	Disable auto upgrade:
	316	```
	317	acme.sh --upgrade --auto-upgrade 0
	318	```
	319
	320	# 12. Issue a cert from an existing CSR
	321
	322	https://github.com/Neilpang/acme.sh/wiki/Issue-a-cert-from-existing-CSR
	323
	324
	325	# Under the Hood
	326
	327	Speak ACME language using shell, directly to "Let's Encrypt".
	328
	329	TODO:
	330
	331	# Acknowledgment
	332	1. Acme-tiny: https://github.com/diafygi/acme-tiny
	333	2. ACME protocol: https://github.com/ietf-wg-acme/acme
	334	3. Certbot: https://github.com/certbot/certbot
	335
	336	# License & Others
	337
	338	License is GPLv3
	339
	340	Please Star and Fork me.
	341
	342	[Issues](https://github.com/Neilpang/acme.sh/issues) and [pull requests](https://github.com/Neilpang/acme.sh/pulls) are welcomed.
	343
	344
	345	# Donate
	346	1. PayPal: donate@acme.sh
	347
	348	[Donate List](https://github.com/Neilpang/acme.sh/wiki/Donate-list)
	349