How To Issue Lets Encrypt ACMEv2 Wildcard Certs

I will be using the Lets Encrypt ACME v2 Client to issue LetsEncrypt wildcard certificates. I will also be using a DigitalOcean server. You can find an additional list of other compatible clients here. You don't need to renew the certs manually. All the certs will be renewed automatically every 60 days.

1. Install the ACME shell script online

$ curl | sh

After the installation, you must close the current terminal and reopen it.

The installer will perform 3 actions:

  1. Create and copy to your home dir ($HOME): ~/ All certs will be placed in this
  2. Create alias for:
  3. Create daily cron job to check and renew the certs if needed.

Cron entry example:

0 0 * * * "/home/user/"/ --cron --home "/home/user/" > /dev/null

2. Use DigitalOcean API (native)

You need to obtain a read and write capable API key from your DigitalOcean account. See:

Replace with the correct access token you got from DigitalOcean:

$ export DO_API_KEY="75310dc4ca... ..."

3. Issue Cert with wilcard domain:

$ --issue --dns dns_dgon -d -d *

Your cert locations:

Your cert is in /home/user/
Your cert key is in /home/user/
The intermediate CA cert is in /home/user/
And the full chain certs is there: /home/user/

4. (NGINX) Modify your NGINX config to point to the new cert location

I use a snippets folder to point to my ssl cert. Open this location and modify it (replacing with your domain name):

$ sudo nano /etc/nginx/snippets/

Delete the contents of this file and replace with (substitute ‘user' and ‘' with appropriate names):

ssl_certificate /home/user/;
ssl_certificate_key /home/user/;

Ctrl+X, ‘Y' the enter to save and exit.

Restart nginx:

$ sudo service nginx restart

5. How to force renew the certs

No, you don't need to renew the certs manually. All the certs will be renewed automatically every 60 days.

However, you can also force to renew a cert:

$ --renew -d --force

6. How to stop cert renewal

To stop renewal of a cert, you can execute the following to remove the cert from the renewal list:

$ --remove -d [--ecc]

The cert/key file is not removed from the disk.

You can remove the respective directory (e.g. ~/ by yourself.

7. How to upgrade is in constant development, so it's strongly recommended to use the latest code.

You can update to the latest code:

$ --upgrade

You can also enable auto upgrade:

$ --upgrade --auto-upgrade

Then will be kept up to date automatically.

Disable auto upgrade: --upgrade --auto-upgrade 0


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.