1 # An ACME Shell script: acme.sh
2 - An ACME protocol client written purely in Shell (Unix shell) language.
3 - Fully ACME protocol implementation.
4 - Simple, powerful and very easy to use. You only need 3 minutes to learn.
5 - Bash, dash and sh compatible.
6 - Simplest shell script for Let's Encrypt free certificate client.
7 - Purely written in Shell with no dependencies on python or Let's Encrypt official client.
8 - Just one script, to issue, renew and install your certificates automatically.
9 - DOES NOT require `root/sudoer` access.
11 It's probably the `easiest&smallest&smartest` shell script to automatically issue & renew the free certificates from Let's Encrypt.
14 Wiki: https://github.com/Neilpang/acme.sh/wiki
17 | NO | Status| Platform|
18 |----|-------|---------|
19 |1|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/ubuntu-latest.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)| Ubuntu
20 |2|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/debian-latest.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)| Debian
21 |3|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/centos-latest.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|CentOS
22 |4|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/windows-cygwin.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|Windows (cygwin with curl, openssl and crontab included)
23 |5|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/freebsd.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|FreeBSD
24 |6|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/pfsense.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|pfsense
25 |7|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/opensuse-latest.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|openSUSE
26 |8|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/alpine-latest.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|Alpine Linux (with curl)
27 |9|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/base-archlinux.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|Archlinux
28 |10|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/fedora-latest.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|fedora
29 |11|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/kalilinux-kali-linux-docker.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|Kali Linux
30 |12|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/oraclelinux-latest.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|Oracle Linux
31 |13|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/proxmox.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)| Proxmox https://pve.proxmox.com/wiki/HTTPSCertificateConfiguration#Let.27s_Encrypt_using_acme.sh
32 |14|-----| Cloud Linux https://github.com/Neilpang/le/issues/111
33 |15|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/openbsd.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|OpenBSD
34 |16|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/mageia.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|Mageia
35 |17|-----| OpenWRT: Tested and working. See [wiki page](https://github.com/Neilpang/acme.sh/wiki/How-to-run-on-OpenWRT)
36 |18|[![](https://cdn.rawgit.com/Neilpang/acmetest/master/status/solaris.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|SunOS/Solaris
38 For all build statuses, check our [daily build project](https://github.com/Neilpang/acmetest):
40 https://github.com/Neilpang/acmetest
49 # Upgrade from 1.x to 2.x
51 You can simply uninstall 1.x and re-install 2.x.
52 2.x is 100% compatible to 1.x. You will feel right at home as if nothing has changed.
54 # le.sh renamed to acme.sh NOW!
56 All configurations are 100% compatible between `le.sh` and `acme.sh`. You just need to uninstall `le.sh` and re-install `acme.sh` again.
57 Nothing will be broken during the process.
61 ### 1. Install online:
63 Check this project: https://github.com/Neilpang/get.acme.sh
66 curl https://get.acme.sh | sh
73 wget -O - https://get.acme.sh | sh
78 ### 2. Or, Install from git:
83 git clone https://github.com/Neilpang/acme.sh.git
88 You `don't have to be root` then, although `it is recommended`.
90 Advanced Installation: https://github.com/Neilpang/acme.sh/wiki/How-to-install
92 The installer will perform 3 actions:
94 1. Create and copy `acme.sh` to your home dir (`$HOME`): `~/.acme.sh/`.
95 All certs will be placed in this folder.
96 2. Create alias for: `acme.sh=~/.acme.sh/acme.sh`.
97 3. Create everyday cron job to check and renew the cert if needed.
102 0 0 * * * "/home/user/.acme.sh"/acme.sh --cron --home "/home/user/.acme.sh" > /dev/null
105 After the installation, you must close current terminal and reopen again to make the alias take effect.
107 Ok, you are ready to issue cert now.
112 root@v1:~# acme.sh -h
118 **Example 1:** Single domain.
121 acme.sh --issue -d aa.com -w /home/wwwroot/aa.com
124 **Example 2:** Multiple domains in the same cert.
127 acme.sh --issue -d aa.com -d www.aa.com -d cp.aa.com -w /home/wwwroot/aa.com
130 The parameter `/home/wwwroot/aa.com` is the web root folder. You **MUST** have `write access` to this folder.
132 Second argument **"aa.com"** is the main domain you want to issue cert for.
133 You must have at least a domain there.
135 You must point and bind all the domains to the same webroot dir: `/home/wwwroot/aa.com`.
137 Generate/issued certs will be placed in `~/.acme.sh/aa.com/`
139 The issued cert will be renewed every 80 days automatically.
141 More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert
144 # Install issued cert to apache/nginx etc.
146 After you issue a cert, you probably want to install the cert with your nginx/apache or other servers you may be using.
149 acme.sh --installcert -d aa.com \
150 --certpath /path/to/certfile/in/apache/nginx \
151 --keypath /path/to/keyfile/in/apache/nginx \
152 --capath /path/to/ca/certfile/apache/nginx \
153 --fullchainpath path/to/fullchain/certfile/apache/nginx \
154 --reloadcmd "service apache2|nginx reload"
157 Only the domain is required, all the other parameters are optional.
159 Install the issued cert/key to the production apache or nginx path.
161 The cert will be `renewed every 80 days by default` (which is configurable). Once the cert is renewed, the apache/nginx will be automatically reloaded by the command: `service apache2 reload` or `service nginx reload`.
163 # Use Standalone server to issue cert
165 **(requires you be root/sudoer, or you have permission to listen tcp 80 port)**
167 The tcp `80` port **MUST** be free to listen, otherwise you will be prompted to free the `80` port and try again.
170 acme.sh --issue --standalone -d aa.com -d www.aa.com -d cp.aa.com
173 More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert
175 # Use Standalone tls server to issue cert
177 **(requires you be root/sudoer, or you have permission to listen tcp 443 port)**
179 acme.sh supports `tls-sni-01` validation.
181 The tcp `443` port **MUST** be free to listen, otherwise you will be prompted to free the `443` port and try again.
184 acme.sh --issue --tls -d aa.com -d www.aa.com -d cp.aa.com
187 More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert
191 **(requires you be root/sudoer, since it is required to interact with apache server)**
193 If you are running a web server, apache or nginx, it is recommended to use the `Webroot mode`.
195 Particularly, if you are running an apache server, you should use apache mode instead. This mode doesn't write any files to your web root folder.
197 Just set string "apache" as the second argument, it will force use of apache plugin automatically.
200 acme.sh --issue --apache -d aa.com -d www.aa.com -d user.aa.com
203 More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert
207 Support the `dns-01` challenge.
210 acme.sh --issue --dns -d aa.com -d www.aa.com -d user.aa.com
213 You should get the output like below:
216 Add the following txt record:
217 Domain:_acme-challenge.aa.com
218 Txt value:9ihDbjYfTExAYeDs4DBUeuTo18KBzwvTEjUnSwd32-c
220 Add the following txt record:
221 Domain:_acme-challenge.www.aa.com
222 Txt value:9ihDbjxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
224 Please add those txt records to the domains. Waiting for the dns to take effect.
228 Then just rerun with `renew` argument:
231 acme.sh --renew -d aa.com
236 # Automatic DNS API integration
238 If your DNS provider supports API access, we can use API to automatically issue the certs.
240 You don't have do anything manually!
242 ### Currently acme.sh supports:
244 1. Cloudflare.com API
248 5. AWS Route 53, see: https://github.com/Neilpang/acme.sh/issues/65
249 6. lexicon dns api: https://github.com/Neilpang/acme.sh/wiki/How-to-use-lexicon-dns-api
250 (DigitalOcean, DNSimple, DnsMadeEasy, DNSPark, EasyDNS, Namesilo, NS1, PointHQ, Rage4 and Vultr etc.)
252 ##### More APIs are coming soon...
254 If your DNS provider is not on the supported list above, you can write your own script API easily. If you do please consider submitting a [Pull Request](https://github.com/Neilpang/acme.sh/pulls) and contribute to the project.
256 For more details: [How to use dns api](dnsapi)
258 # Issue ECC certificate:
260 `Let's Encrypt` now can issue **ECDSA** certificates.
262 And we also support it.
264 Just set the `length` parameter with a prefix `ec-`.
268 ### Single domain ECC cerfiticate:
271 acme.sh --issue -w /home/wwwroot/aa.com -d aa.com --keylength ec-256
274 SAN multi domain ECC certificate:
277 acme.sh --issue -w /home/wwwroot/aa.com -d aa.com -d www.aa.com --keylength ec-256
280 Please look at the last parameter above.
284 1. **ec-256 (prime256v1, "ECDSA P-256")**
285 2. **ec-384 (secp384r1, "ECDSA P-384")**
286 3. **ec-521 (secp521r1, "ECDSA P-521", which is not supported by Let's Encrypt yet.)**
290 Speak ACME language using shell, directly to "Let's Encrypt".
295 1. Acme-tiny: https://github.com/diafygi/acme-tiny
296 2. ACME protocol: https://github.com/ietf-wg-acme/acme
297 3. Certbot: https://github.com/certbot/certbot
303 Please Star and Fork me.
305 [Issues](https://github.com/Neilpang/acme.sh/issues) and [pull requests](https://github.com/Neilpang/acme.sh/pulls) are welcomed.
309 1. PayPal: donate@acme.sh