+# An ACME Shell script: acme.sh [](https://travis-ci.org/Neilpang/acme.sh)
-Skip to content
-Pull requests
-Issues
-Marketplace
-Explore
-@stilez
-Learn Git and GitHub without any code!
+<a href="https://opencollective.com/acmesh" alt="Financial Contributors on Open Collective"><img src="https://opencollective.com/acmesh/all/badge.svg?label=financial+contributors" /></a> [](https://gitter.im/acme-sh/Lobby?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
+- An ACME protocol client written purely in Shell (Unix shell) language.
+- Full ACME protocol implementation.
+- Support ACME v1 and ACME v2
+- Support ACME v2 wildcard certs
+- Simple, powerful and very easy to use. You only need 3 minutes to learn it.
+- Bash, dash and sh compatible.
+- Simplest shell script for Let's Encrypt free certificate client.
+- Purely written in Shell with no dependencies on python or the official Let's Encrypt client.
+- Just one script to issue, renew and install your certificates automatically.
+- DOES NOT require `root/sudoer` access.
+- Docker friendly
+- IPv6 support
+- Cron job notifications for renewal or error etc.
-Using the Hello World guide, you’ll start a branch, write comments, and open a pull request.
+It's probably the `easiest & smartest` shell script to automatically issue & renew the free certificates from Let's Encrypt.
-395
-14.7k
+Wiki: https://github.com/Neilpang/acme.sh/wiki
- 1.9k
+For Docker Fans: [acme.sh :two_hearts: Docker ](https://github.com/Neilpang/acme.sh/wiki/Run-acme.sh-in-docker)
-Neilpang/acme.sh
-Code
-Issues 415
-Pull requests 110
-Actions
-Projects 0
-Wiki
-Security
-Insights
-You’re editing a file in a project you don’t have write access to. Submitting a change to this file will write it to a new branch in your fork stilez/acme.sh, so you can send a pull request.
-acme.sh/
+Twitter: [@neilpangxa](https://twitter.com/neilpangxa)
-1
+# [中文说明](https://github.com/Neilpang/acme.sh/wiki/%E8%AF%B4%E6%98%8E)
-2
+# Who:
+- [FreeBSD.org](https://blog.crashed.org/letsencrypt-in-freebsd-org/)
+- [ruby-china.org](https://ruby-china.org/topics/31983)
+- [Proxmox](https://pve.proxmox.com/wiki/HTTPS_Certificate_Configuration_(Version_4.x_and_newer))
+- [pfsense](https://github.com/pfsense/FreeBSD-ports/pull/89)
+- [webfaction](https://community.webfaction.com/questions/19988/using-letsencrypt)
+- [Loadbalancer.org](https://www.loadbalancer.org/blog/loadbalancer-org-with-lets-encrypt-quick-and-dirty)
+- [discourse.org](https://meta.discourse.org/t/setting-up-lets-encrypt/40709)
+- [Centminmod](https://centminmod.com/letsencrypt-acmetool-https.html)
+- [splynx](https://forum.splynx.com/t/free-ssl-cert-for-splynx-lets-encrypt/297)
+- [archlinux](https://www.archlinux.org/packages/community/any/acme.sh)
+- [opnsense.org](https://github.com/opnsense/plugins/tree/master/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient)
+- [CentOS Web Panel](http://centos-webpanel.com/)
+- [lnmp.org](https://lnmp.org/)
+- [more...](https://github.com/Neilpang/acme.sh/wiki/Blogs-and-tutorials)
+# Tested OS
-3
+| NO | Status| Platform|
+|----|-------|---------|
+|1|[](https://github.com/Neilpang/letest#here-are-the-latest-status)| Ubuntu
+|2|[](https://github.com/Neilpang/letest#here-are-the-latest-status)| Debian
+|3|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|CentOS
+|4|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|Windows (cygwin with curl, openssl and crontab included)
+|5|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|FreeBSD
+|6|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|pfsense
+|7|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|openSUSE
+|8|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|Alpine Linux (with curl)
+|9|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|Archlinux
+|10|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|fedora
+|11|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|Kali Linux
+|12|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|Oracle Linux
+|13|[](https://github.com/Neilpang/letest#here-are-the-latest-status)| Proxmox https://pve.proxmox.com/wiki/HTTPSCertificateConfiguration#Let.27s_Encrypt_using_acme.sh
+|14|-----| Cloud Linux https://github.com/Neilpang/le/issues/111
+|15|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|OpenBSD
+|16|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|Mageia
+|17|-----| OpenWRT: Tested and working. See [wiki page](https://github.com/Neilpang/acme.sh/wiki/How-to-run-on-OpenWRT)
+|18|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|SunOS/Solaris
+|19|[](https://github.com/Neilpang/letest#here-are-the-latest-status)|Gentoo Linux
+|20|[](https://travis-ci.org/Neilpang/acme.sh)|Mac OSX
-<a href="https://opencollective.com/acmesh" alt="Financial Contributors on Open Collective"><img src="https://opencollective.com/acmesh/all/badge.svg?label=financial+contributors" /></a> [](https://gitter.im/acme-sh/Lobby?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
+For all build statuses, check our [weekly build project](https://github.com/Neilpang/acmetest):
-4
+https://github.com/Neilpang/acmetest
-- An ACME protocol client written purely in Shell (Unix shell) language.
+# Supported CA
-5
+- Letsencrypt.org CA(default)
+- [BuyPass.com CA](https://github.com/Neilpang/acme.sh/wiki/BuyPass.com-CA)
+- [Pebble strict Mode](https://github.com/letsencrypt/pebble)
-- Full ACME protocol implementation.
+# Supported modes
-6
+- Webroot mode
+- Standalone mode
+- Standalone tls-alpn mode
+- Apache mode
+- Nginx mode
+- DNS mode
+- [DNS alias mode](https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode)
+- [Stateless mode](https://github.com/Neilpang/acme.sh/wiki/Stateless-Mode)
-7
+# 1. How to install
+### 1. Install online
-8
+Check this project: https://github.com/Neilpang/get.acme.sh
-- Simple, powerful and very easy to use. You only need 3 minutes to learn it.
+```bash
+curl https://get.acme.sh | sh
+```
-- DOES NOT require `root/sudoer` access.
+Or:
-14
+```bash
+wget -O - https://get.acme.sh | sh
+```
-- Docker friendly
-15
+### 2. Or, Install from git
-- IPv6 support
+Clone this project and launch installation:
-16
+```bash
+git clone https://github.com/Neilpang/acme.sh.git
+cd ./acme.sh
+./acme.sh --install
+```
-- Cron job notifications for renewal or error etc.
+You `don't have to be root` then, although `it is recommended`.
-17
+Advanced Installation: https://github.com/Neilpang/acme.sh/wiki/How-to-install
-
+The installer will perform 3 actions:
-18
+1. Create and copy `acme.sh` to your home dir (`$HOME`): `~/.acme.sh/`.
+All certs will be placed in this folder too.
+2. Create alias for: `acme.sh=~/.acme.sh/acme.sh`.
+3. Create daily cron job to check and renew the certs if needed.
-It's probably the `easiest & smartest` shell script to automatically issue & renew the free certificates from Let's Encrypt.
+Cron entry example:
-19
+```bash
+0 0 * * * "/home/user/.acme.sh"/acme.sh --cron --home "/home/user/.acme.sh" > /dev/null
+```
+After the installation, you must close the current terminal and reopen it to make the alias take effect.
-20
+Ok, you are ready to issue certs now.
-Wiki: https://github.com/Neilpang/acme.sh/wiki
+Show help message:
-21
+```sh
+root@v1:~# acme.sh -h
+```
-
+# 2. Just issue a cert
-22
+**Example 1:** Single domain.
-For Docker Fans: [acme.sh :two_hearts: Docker ](https://github.com/Neilpang/acme.sh/wiki/Run-acme.sh-in-docker)
+```bash
+acme.sh --issue -d example.com -w /home/wwwroot/example.com
+```
-23
+or:
-
+```bash
+acme.sh --issue -d example.com -w /home/username/public_html
+```
-24
+or:
-Twitter: [@neilpangxa](https://twitter.com/neilpangxa)
+```bash
+acme.sh --issue -d example.com -w /var/www/html
+```
-25
+**Example 2:** Multiple domains in the same cert.
-
+```bash
+acme.sh --issue -d example.com -d www.example.com -d cp.example.com -w /home/wwwroot/example.com
+```
-26
+The parameter `/home/wwwroot/example.com` or `/home/username/public_html` or `/var/www/html` is the web root folder where you host your website files. You **MUST** have `write access` to this folder.
+Second argument **"example.com"** is the main domain you want to issue the cert for.
+You must have at least one domain there.
-27
+You must point and bind all the domains to the same webroot dir: `/home/wwwroot/example.com`.
-# [中文说明](https://github.com/Neilpang/acme.sh/wiki/%E8%AF%B4%E6%98%8E)
+The certs will be placed in `~/.acme.sh/example.com/`
-28
+The certs will be renewed automatically every **60** days.
-
+More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert
-# Who:
+# 3. Install the cert to Apache/Nginx etc.
-30
+After the cert is generated, you probably want to install/copy the cert to your Apache/Nginx or other servers.
+You **MUST** use this command to copy the certs to the target files, **DO NOT** use the certs files in **~/.acme.sh/** folder, they are for internal use only, the folder structure may change in the future.
-- [FreeBSD.org](https://blog.crashed.org/letsencrypt-in-freebsd-org/)
+**Apache** example:
+```bash
+acme.sh --install-cert -d example.com \
+--cert-file /path/to/certfile/in/apache/cert.pem \
+--key-file /path/to/keyfile/in/apache/key.pem \
+--fullchain-file /path/to/fullchain/certfile/apache/fullchain.pem \
+--reloadcmd "service apache2 force-reload"
+```
-31
+**Nginx** example:
+```bash
+acme.sh --install-cert -d example.com \
+--key-file /path/to/keyfile/in/nginx/key.pem \
+--fullchain-file /path/to/fullchain/nginx/cert.pem \
+--reloadcmd "service nginx force-reload"
+```
-- [ruby-china.org](https://ruby-china.org/topics/31983)
+Only the domain is required, all the other parameters are optional.
-32
+The ownership and permission info of existing files are preserved. You can pre-create the files to define the ownership and permission.
+Install/copy the cert/key to the production Apache or Nginx path.
-33
+The cert will be renewed every **60** days by default (which is configurable). Once the cert is renewed, the Apache/Nginx service will be reloaded automatically by the command: `service apache2 force-reload` or `service nginx force-reload`.
-- [pfsense](https://github.com/pfsense/FreeBSD-ports/pull/89)
-34
+**Please take care: The reloadcmd is very important. The cert can be automatically renewed, but, without a correct 'reloadcmd' the cert may not be flushed to your server(like nginx or apache), then your website will not be able to show renewed cert in 60 days.**
-- [webfaction](https://community.webfaction.com/questions/19988/using-letsencrypt)
+# 4. Use Standalone server to issue cert
-35
+**(requires you to be root/sudoer or have permission to listen on port 80 (TCP))**
+Port `80` (TCP) **MUST** be free to listen on, otherwise you will be prompted to free it and try again.
-36
+```bash
+acme.sh --issue --standalone -d example.com -d www.example.com -d cp.example.com
+```
-- [discourse.org](https://meta.discourse.org/t/setting-up-lets-encrypt/40709)
+More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert
-37
+# 5. Use Standalone ssl server to issue cert
-- [Centminmod](https://centminmod.com/letsencrypt-acmetool-https.html)
+**(requires you to be root/sudoer or have permission to listen on port 443 (TCP))**
-38
+Port `443` (TCP) **MUST** be free to listen on, otherwise you will be prompted to free it and try again.
-- [splynx](https://forum.splynx.com/t/free-ssl-cert-for-splynx-lets-encrypt/297)
+```bash
+acme.sh --issue --alpn -d example.com -d www.example.com -d cp.example.com
+```
-39
+More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert
-- [archlinux](https://www.archlinux.org/packages/community/any/acme.sh)
-40
+# 6. Use Apache mode
+**(requires you to be root/sudoer, since it is required to interact with Apache server)**
-41
+If you are running a web server, Apache or Nginx, it is recommended to use the `Webroot mode`.
-- [CentOS Web Panel](http://centos-webpanel.com/)
+Particularly, if you are running an Apache server, you can use Apache mode instead. This mode doesn't write any files to your web root folder.
+Just set string "apache" as the second argument and it will force use of apache plugin automatically.
-- [lnmp.org](https://lnmp.org/)
+```sh
+acme.sh --issue --apache -d example.com -d www.example.com -d cp.example.com
+```
-43
+**This apache mode is only to issue the cert, it will not change your apache config files.
+You will need to configure your website config files to use the cert by yourself.
+We don't want to mess your apache server, don't worry.**
-- [more...](https://github.com/Neilpang/acme.sh/wiki/Blogs-and-tutorials)
+More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert
+# 7. Use Nginx mode
-
+**(requires you to be root/sudoer, since it is required to interact with Nginx server)**
-45
+If you are running a web server, Apache or Nginx, it is recommended to use the `Webroot mode`.
+Particularly, if you are running an nginx server, you can use nginx mode instead. This mode doesn't write any files to your web root folder.
-46
+Just set string "nginx" as the second argument.
-
+It will configure nginx server automatically to verify the domain and then restore the nginx config to the original version.
-47
+So, the config is not changed.
-| NO | Status| Platform|
+```sh
+acme.sh --issue --nginx -d example.com -d www.example.com -d cp.example.com
+```
+
+**This nginx mode is only to issue the cert, it will not change your nginx config files.
+You will need to configure your website config files to use the cert by yourself.
+We don't want to mess your nginx server, don't worry.**
+
+More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert
+
+# 8. Automatic DNS API integration
+
+If your DNS provider supports API access, we can use that API to automatically issue the certs.
+
+You don't have to do anything manually!
+
+### Currently acme.sh supports most of the dns providers:
+
+https://github.com/Neilpang/acme.sh/wiki/dnsapi
+
+# 9. Use DNS manual mode:
+
+See: https://github.com/Neilpang/acme.sh/wiki/dns-manual-mode first.
+
+If your dns provider doesn't support any api access, you can add the txt record by your hand.
+
+```bash
+acme.sh --issue --dns -d example.com -d www.example.com -d cp.example.com
+```
+
+You should get an output like below:
+
+```sh
+Add the following txt record:
+Domain:_acme-challenge.example.com
+Txt value:9ihDbjYfTExAYeDs4DBUeuTo18KBzwvTEjUnSwd32-c
+
+Add the following txt record:
+Domain:_acme-challenge.www.example.com
+Txt value:9ihDbjxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+
+Please add those txt records to the domains. Waiting for the dns to take effect.
+```
+
+Then just rerun with `renew` argument:
+
+```bash
+acme.sh --renew -d example.com
+```
+
+Ok, it's done.
+
+**Take care, this is dns manual mode, it can not be renewed automatically. you will have to add a new txt record to your domain by your hand when you renew your cert.**
+
+**Please use dns api mode instead.**
+
+# 10. Issue ECC certificates
+
+`Let's Encrypt` can now issue **ECDSA** certificates.
+
+And we support them too!
+
+Just set the `keylength` parameter with a prefix `ec-`.
+
+For example:
+
+### Single domain ECC certificate
+
+```bash
+acme.sh --issue -w /home/wwwroot/example.com -d example.com --keylength ec-256
+```
+
+### SAN multi domain ECC certificate
+
+```bash
+acme.sh --issue -w /home/wwwroot/example.com -d example.com -d www.example.com --keylength ec-256
+```
+
+Please look at the `keylength` parameter above.
+
+Valid values are:
+
+1. **ec-256 (prime256v1, "ECDSA P-256")**
+2. **ec-384 (secp384r1, "ECDSA P-384")**
+3. **ec-521 (secp521r1, "ECDSA P-521", which is not supported by Let's Encrypt yet.)**
+
+
+
+# 11. Issue Wildcard certificates
+
+It's simple, just give a wildcard domain as the `-d` parameter.
+
+```sh
+acme.sh --issue -d example.com -d '*.example.com' --dns dns_cf
+```
+
+
+
+# 12. How to renew the certs
+
+No, you don't need to renew the certs manually. All the certs will be renewed automatically every **60** days.
+
+However, you can also force to renew a cert:
+
+```sh
+acme.sh --renew -d example.com --force
+```
+
+or, for ECC cert:
+
+```sh
+acme.sh --renew -d example.com --force --ecc
+```
+
+
+# 13. How to stop cert renewal
+
+To stop renewal of a cert, you can execute the following to remove the cert from the renewal list:
+
+```sh
+acme.sh --remove -d example.com [--ecc]
+```
+
+The cert/key file is not removed from the disk.
+
+You can remove the respective directory (e.g. `~/.acme.sh/example.com`) by yourself.
+
+
+# 14. How to upgrade `acme.sh`
+
+acme.sh is in constant development, so it's strongly recommended to use the latest code.
+
+You can update acme.sh to the latest code:
+
+```sh
+acme.sh --upgrade
+```
+
+You can also enable auto upgrade:
+
+```sh
+acme.sh --upgrade --auto-upgrade
+```
+
+Then **acme.sh** will be kept up to date automatically.
+
+Disable auto upgrade:
+
+```sh
+acme.sh --upgrade --auto-upgrade 0
+```
+
+
+# 15. Issue a cert from an existing CSR
+
+https://github.com/Neilpang/acme.sh/wiki/Issue-a-cert-from-existing-CSR
+
+
+# 16. Send notifications in cronjob
+
+https://github.com/Neilpang/acme.sh/wiki/notify
+
+
+# 17. Under the Hood
+
+Speak ACME language using shell, directly to "Let's Encrypt".
+
+TODO:
+
+
+# 18. Acknowledgments
+
+1. Acme-tiny: https://github.com/diafygi/acme-tiny
+2. ACME protocol: https://github.com/ietf-wg-acme/acme
+
+
+## Contributors
+
+### Code Contributors
+
+This project exists thanks to all the people who contribute. [[Contribute](CONTRIBUTING.md)].
+<a href="https://github.com/Neilpang/acme.sh/graphs/contributors"><img src="https://opencollective.com/acmesh/contributors.svg?width=890&button=false" /></a>
+
+### Financial Contributors
+
+Become a financial contributor and help us sustain our community. [[Contribute](https://opencollective.com/acmesh/contribute)]
+
+#### Individuals
+
+<a href="https://opencollective.com/acmesh"><img src="https://opencollective.com/acmesh/individuals.svg?width=890"></a>
+
+#### Organizations
+
+Support this project with your organization. Your logo will show up here with a link to your website. [[Contribute](https://opencollective.com/acmesh/contribute)]
+
+<a href="https://opencollective.com/acmesh/organization/0/website"><img src="https://opencollective.com/acmesh/organization/0/avatar.svg"></a>
+<a href="https://opencollective.com/acmesh/organization/1/website"><img src="https://opencollective.com/acmesh/organization/1/avatar.svg"></a>
+<a href="https://opencollective.com/acmesh/organization/2/website"><img src="https://opencollective.com/acmesh/organization/2/avatar.svg"></a>
+<a href="https://opencollective.com/acmesh/organization/3/website"><img src="https://opencollective.com/acmesh/organization/3/avatar.svg"></a>
+<a href="https://opencollective.com/acmesh/organization/4/website"><img src="https://opencollective.com/acmesh/organization/4/avatar.svg"></a>
+<a href="https://opencollective.com/acmesh/organization/5/website"><img src="https://opencollective.com/acmesh/organization/5/avatar.svg"></a>
+<a href="https://opencollective.com/acmesh/organization/6/website"><img src="https://opencollective.com/acmesh/organization/6/avatar.svg"></a>
+<a href="https://opencollective.com/acmesh/organization/7/website"><img src="https://opencollective.com/acmesh/organization/7/avatar.svg"></a>
+<a href="https://opencollective.com/acmesh/organization/8/website"><img src="https://opencollective.com/acmesh/organization/8/avatar.svg"></a>
+<a href="https://opencollective.com/acmesh/organization/9/website"><img src="https://opencollective.com/acmesh/organization/9/avatar.svg"></a>
+
+# 19. License & Others
+
+License is GPLv3
+
+Please Star and Fork me.
+
+[Issues](https://github.com/Neilpang/acme.sh/issues) and [pull requests](https://github.com/Neilpang/acme.sh/pulls) are welcome.
+
+
+# 20. Donate
+Your donation makes **acme.sh** better:
+
+1. PayPal/Alipay(支付宝)/Wechat(微信): [https://donate.acme.sh/](https://donate.acme.sh/)
+[Donate List](https://github.com/Neilpang/acme.sh/wiki/Donate-list)
projects / mirror_acme.sh.git / commitdiff