]>
Commit | Line | Data |
---|---|---|
1 | # An ACME Shell script: acme.sh | |
2 | - An ACME protocol client written purely in Shell (Unix shell) language. | |
3 | - Fully ACME protocol implementation. | |
4 | - Simple, powerful and very easy to use. You only need 3 minutes to learn. | |
5 | - Bash, dash and sh compatible. | |
6 | - Simplest shell script for Let's Encrypt free certificate client. | |
7 | - Purely written in Shell with no dependencies on python or Let's Encrypt official client. | |
8 | - Just one script, to issue, renew and install your certificates automatically. | |
9 | - DOES NOT require `root/sudoer` access. | |
10 | ||
11 | It's probably the `easiest&smallest&smartest` shell script to automatically issue & renew the free certificates from Let's Encrypt. | |
12 | ||
13 | ||
14 | Wiki: https://github.com/Neilpang/acme.sh/wiki | |
15 | ||
16 | # [中文说明](https://github.com/Neilpang/acme.sh/wiki/%E8%AF%B4%E6%98%8E) | |
17 | ||
18 | #Tested OS | |
19 | | NO | Status| Platform| | |
20 | |----|-------|---------| | |
21 | |1|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/ubuntu-latest.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)| Ubuntu | |
22 | |2|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/debian-latest.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)| Debian | |
23 | |3|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/centos-latest.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|CentOS | |
24 | |4|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/windows-cygwin.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|Windows (cygwin with curl, openssl and crontab included) | |
25 | |5|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/freebsd.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|FreeBSD | |
26 | |6|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/pfsense.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|pfsense | |
27 | |7|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/opensuse-latest.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|openSUSE | |
28 | |8|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/alpine-latest.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|Alpine Linux (with curl) | |
29 | |9|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/base-archlinux.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|Archlinux | |
30 | |10|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/fedora-latest.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|fedora | |
31 | |11|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/kalilinux-kali-linux-docker.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|Kali Linux | |
32 | |12|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/oraclelinux-latest.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|Oracle Linux | |
33 | |13|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/proxmox.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)| Proxmox https://pve.proxmox.com/wiki/HTTPSCertificateConfiguration#Let.27s_Encrypt_using_acme.sh | |
34 | |14|-----| Cloud Linux https://github.com/Neilpang/le/issues/111 | |
35 | |15|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/openbsd.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|OpenBSD | |
36 | |16|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/mageia.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|Mageia | |
37 | |17|-----| OpenWRT: Tested and working. See [wiki page](https://github.com/Neilpang/acme.sh/wiki/How-to-run-on-OpenWRT) | |
38 | |18|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/solaris.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|SunOS/Solaris | |
39 | |18|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/gentoo-stage3-amd64.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|Gentoo Linux | |
40 | ||
41 | For all build statuses, check our [daily build project](https://github.com/Neilpang/acmetest): | |
42 | ||
43 | https://github.com/Neilpang/acmetest | |
44 | ||
45 | # Supported Mode | |
46 | ||
47 | 1. Webroot mode | |
48 | 2. Standalone mode | |
49 | 3. Apache mode | |
50 | 4. Dns mode | |
51 | ||
52 | ||
53 | ||
54 | # 1. How to install | |
55 | ||
56 | ### 1. Install online: | |
57 | ||
58 | Check this project: https://github.com/Neilpang/get.acme.sh | |
59 | ||
60 | ```bash | |
61 | curl https://get.acme.sh | sh | |
62 | ||
63 | ``` | |
64 | ||
65 | Or: | |
66 | ||
67 | ```bash | |
68 | wget -O - https://get.acme.sh | sh | |
69 | ||
70 | ``` | |
71 | ||
72 | ||
73 | ### 2. Or, Install from git: | |
74 | ||
75 | Clone this project: | |
76 | ||
77 | ```bash | |
78 | git clone https://github.com/Neilpang/acme.sh.git | |
79 | cd ./acme.sh | |
80 | ./acme.sh --install | |
81 | ``` | |
82 | ||
83 | You `don't have to be root` then, although `it is recommended`. | |
84 | ||
85 | Advanced Installation: https://github.com/Neilpang/acme.sh/wiki/How-to-install | |
86 | ||
87 | The installer will perform 3 actions: | |
88 | ||
89 | 1. Create and copy `acme.sh` to your home dir (`$HOME`): `~/.acme.sh/`. | |
90 | All certs will be placed in this folder. | |
91 | 2. Create alias for: `acme.sh=~/.acme.sh/acme.sh`. | |
92 | 3. Create everyday cron job to check and renew the cert if needed. | |
93 | ||
94 | Cron entry example: | |
95 | ||
96 | ```bash | |
97 | 0 0 * * * "/home/user/.acme.sh"/acme.sh --cron --home "/home/user/.acme.sh" > /dev/null | |
98 | ``` | |
99 | ||
100 | After the installation, you must close current terminal and reopen again to make the alias take effect. | |
101 | ||
102 | Ok, you are ready to issue cert now. | |
103 | Show help message: | |
104 | ||
105 | ``` | |
106 | ||
107 | root@v1:~# acme.sh -h | |
108 | ||
109 | ``` | |
110 | ||
111 | # 2. Just issue a cert: | |
112 | ||
113 | **Example 1:** Single domain. | |
114 | ||
115 | ```bash | |
116 | acme.sh --issue -d example.com -w /home/wwwroot/example.com | |
117 | ``` | |
118 | ||
119 | **Example 2:** Multiple domains in the same cert. | |
120 | ||
121 | ```bash | |
122 | acme.sh --issue -d example.com -d www.example.com -d cp.example.com -w /home/wwwroot/example.com | |
123 | ``` | |
124 | ||
125 | The parameter `/home/wwwroot/example.com` is the web root folder. You **MUST** have `write access` to this folder. | |
126 | ||
127 | Second argument **"example.com"** is the main domain you want to issue cert for. | |
128 | You must have at least a domain there. | |
129 | ||
130 | You must point and bind all the domains to the same webroot dir: `/home/wwwroot/example.com`. | |
131 | ||
132 | Generate/issued certs will be placed in `~/.acme.sh/example.com/` | |
133 | ||
134 | The issued cert will be renewed every **60** days automatically. | |
135 | ||
136 | More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert | |
137 | ||
138 | ||
139 | # 3. Install the issued cert to apache/nginx etc. | |
140 | ||
141 | After you issue a cert, you probably want to install/copy the cert to your nginx/apache or other servers you may be using. | |
142 | ||
143 | ```bash | |
144 | acme.sh --installcert -d example.com \ | |
145 | --certpath /path/to/certfile/in/apache/nginx \ | |
146 | --keypath /path/to/keyfile/in/apache/nginx \ | |
147 | --capath /path/to/ca/certfile/apache/nginx \ | |
148 | --fullchainpath path/to/fullchain/certfile/apache/nginx \ | |
149 | --reloadcmd "service apache2|nginx reload" | |
150 | ``` | |
151 | ||
152 | Only the domain is required, all the other parameters are optional. | |
153 | ||
154 | Install/copy the issued cert/key to the production apache or nginx path. | |
155 | ||
156 | The cert will be `renewed every **60** days by default` (which is configurable). Once the cert is renewed, the apache/nginx will be automatically reloaded by the command: `service apache2 reload` or `service nginx reload`. | |
157 | ||
158 | # 4. Use Standalone server to issue cert | |
159 | ||
160 | **(requires you be root/sudoer, or you have permission to listen tcp 80 port)** | |
161 | ||
162 | The tcp `80` port **MUST** be free to listen, otherwise you will be prompted to free the `80` port and try again. | |
163 | ||
164 | ```bash | |
165 | acme.sh --issue --standalone -d example.com -d www.example.com -d cp.example.com | |
166 | ``` | |
167 | ||
168 | More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert | |
169 | ||
170 | # 5. Use Standalone tls server to issue cert | |
171 | ||
172 | **(requires you be root/sudoer, or you have permission to listen tcp 443 port)** | |
173 | ||
174 | acme.sh supports `tls-sni-01` validation. | |
175 | ||
176 | The tcp `443` port **MUST** be free to listen, otherwise you will be prompted to free the `443` port and try again. | |
177 | ||
178 | ```bash | |
179 | acme.sh --issue --tls -d example.com -d www.example.com -d cp.example.com | |
180 | ``` | |
181 | ||
182 | More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert | |
183 | ||
184 | # 6. Use Apache mode | |
185 | ||
186 | **(requires you be root/sudoer, since it is required to interact with apache server)** | |
187 | ||
188 | If you are running a web server, apache or nginx, it is recommended to use the `Webroot mode`. | |
189 | ||
190 | Particularly, if you are running an apache server, you should use apache mode instead. This mode doesn't write any files to your web root folder. | |
191 | ||
192 | Just set string "apache" as the second argument, it will force use of apache plugin automatically. | |
193 | ||
194 | ``` | |
195 | acme.sh --issue --apache -d example.com -d www.example.com -d user.example.com | |
196 | ``` | |
197 | ||
198 | More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert | |
199 | ||
200 | # 7. Use DNS mode: | |
201 | ||
202 | Support the `dns-01` challenge. | |
203 | ||
204 | ```bash | |
205 | acme.sh --issue --dns -d example.com -d www.example.com -d user.example.com | |
206 | ``` | |
207 | ||
208 | You should get the output like below: | |
209 | ||
210 | ``` | |
211 | Add the following txt record: | |
212 | Domain:_acme-challenge.example.com | |
213 | Txt value:9ihDbjYfTExAYeDs4DBUeuTo18KBzwvTEjUnSwd32-c | |
214 | ||
215 | Add the following txt record: | |
216 | Domain:_acme-challenge.www.example.com | |
217 | Txt value:9ihDbjxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx | |
218 | ||
219 | Please add those txt records to the domains. Waiting for the dns to take effect. | |
220 | ||
221 | ``` | |
222 | ||
223 | Then just rerun with `renew` argument: | |
224 | ||
225 | ```bash | |
226 | acme.sh --renew -d example.com | |
227 | ``` | |
228 | ||
229 | Ok, it's finished. | |
230 | ||
231 | # 8. Automatic DNS API integration | |
232 | ||
233 | If your DNS provider supports API access, we can use API to automatically issue the certs. | |
234 | ||
235 | You don't have do anything manually! | |
236 | ||
237 | ### Currently acme.sh supports: | |
238 | ||
239 | 1. Cloudflare.com API | |
240 | 2. Dnspod.cn API | |
241 | 3. Cloudxns.com API | |
242 | 4. Godaddy.com API | |
243 | 5. OVH, kimsufi, soyoustart and runabove API | |
244 | 6. AWS Route 53, see: https://github.com/Neilpang/acme.sh/issues/65 | |
245 | 7. PowerDNS API | |
246 | 8. lexicon dns api: https://github.com/Neilpang/acme.sh/wiki/How-to-use-lexicon-dns-api | |
247 | (DigitalOcean, DNSimple, DnsMadeEasy, DNSPark, EasyDNS, Namesilo, NS1, PointHQ, Rage4 and Vultr etc.) | |
248 | ||
249 | ##### More APIs are coming soon... | |
250 | ||
251 | If your DNS provider is not on the supported list above, you can write your own script API easily. If you do please consider submitting a [Pull Request](https://github.com/Neilpang/acme.sh/pulls) and contribute to the project. | |
252 | ||
253 | For more details: [How to use dns api](dnsapi) | |
254 | ||
255 | # 9. Issue ECC certificate: | |
256 | ||
257 | `Let's Encrypt` now can issue **ECDSA** certificates. | |
258 | ||
259 | And we also support it. | |
260 | ||
261 | Just set the `length` parameter with a prefix `ec-`. | |
262 | ||
263 | For example: | |
264 | ||
265 | ### Single domain ECC cerfiticate: | |
266 | ||
267 | ```bash | |
268 | acme.sh --issue -w /home/wwwroot/example.com -d example.com --keylength ec-256 | |
269 | ``` | |
270 | ||
271 | SAN multi domain ECC certificate: | |
272 | ||
273 | ```bash | |
274 | acme.sh --issue -w /home/wwwroot/example.com -d example.com -d www.example.com --keylength ec-256 | |
275 | ``` | |
276 | ||
277 | Please look at the last parameter above. | |
278 | ||
279 | Valid values are: | |
280 | ||
281 | 1. **ec-256 (prime256v1, "ECDSA P-256")** | |
282 | 2. **ec-384 (secp384r1, "ECDSA P-384")** | |
283 | 3. **ec-521 (secp521r1, "ECDSA P-521", which is not supported by Let's Encrypt yet.)** | |
284 | ||
285 | ||
286 | # 10. How to renew the cert | |
287 | ||
288 | No, you don't need to renew the certs manually. All the certs will be renewed automatically every **60** days. | |
289 | ||
290 | However, you can also force to renew any cert: | |
291 | ||
292 | ``` | |
293 | acme.sh --renew -d example.com --force | |
294 | ``` | |
295 | ||
296 | or, for ECC cert: | |
297 | ``` | |
298 | acme.sh --renew -d example.com --force --ecc | |
299 | ``` | |
300 | ||
301 | # 11. How to upgrade `acme.sh` | |
302 | acme.sh is in developing, it's strongly recommended to use the latest code. | |
303 | ||
304 | You can update acme.sh to the latest code: | |
305 | ``` | |
306 | acme.sh --upgrade | |
307 | ``` | |
308 | ||
309 | You can enable auto upgrade: | |
310 | ``` | |
311 | acme.sh --upgrade --auto-upgrade | |
312 | ``` | |
313 | Then **acme.sh** will keep up to date automatically. | |
314 | ||
315 | Disable auto upgrade: | |
316 | ``` | |
317 | acme.sh --upgrade --auto-upgrade 0 | |
318 | ``` | |
319 | ||
320 | # 12. Issue a cert from an existing CSR | |
321 | ||
322 | https://github.com/Neilpang/acme.sh/wiki/Issue-a-cert-from-existing-CSR | |
323 | ||
324 | ||
325 | # Under the Hood | |
326 | ||
327 | Speak ACME language using shell, directly to "Let's Encrypt". | |
328 | ||
329 | TODO: | |
330 | ||
331 | # Acknowledgment | |
332 | 1. Acme-tiny: https://github.com/diafygi/acme-tiny | |
333 | 2. ACME protocol: https://github.com/ietf-wg-acme/acme | |
334 | 3. Certbot: https://github.com/certbot/certbot | |
335 | ||
336 | # License & Others | |
337 | ||
338 | License is GPLv3 | |
339 | ||
340 | Please Star and Fork me. | |
341 | ||
342 | [Issues](https://github.com/Neilpang/acme.sh/issues) and [pull requests](https://github.com/Neilpang/acme.sh/pulls) are welcomed. | |
343 | ||
344 | ||
345 | # Donate | |
346 | 1. PayPal: donate@acme.sh | |
347 | ||
348 | [Donate List](https://github.com/Neilpang/acme.sh/wiki/Donate-list) | |
349 |