How To Issue Lets Encrypt ACMEv2 Wildcard Certs

I will be using the Lets Encrypt ACME v2 Client acme.sh to issue LetsEncrypt wildcard certificates. I will also be using a DigitalOcean server. You can find an additional list of other compatible clients here. You don’t need to renew the certs manually. All the certs will be renewed automatically every 60 days.

1. Install the ACME shell script online

$ curl https://get.acme.sh | sh

After the installation, you must close the current terminal and reopen it.

The installer will perform 3 actions:

  1. Create and copy acme.sh to your home dir ($HOME): ~/.acme.sh/. All certs will be placed in this
  2. Create alias for: acme.sh=~/.acme.sh/acme.sh.
  3. Create daily cron job to check and renew the certs if needed.

Cron entry example:

0 0 * * * "/home/user/.acme.sh"/acme.sh --cron --home "/home/user/.acme.sh" > /dev/null

2. Use DigitalOcean API (native)

You need to obtain a read and write capable API key from your DigitalOcean account. See: https://www.digitalocean.com/community/tutorials/how-to-use-the-digitalocean-api-v2

Replace with the correct access token you got from DigitalOcean:

$ export DO_API_KEY="75310dc4ca... ..."

3. Issue Cert with wilcard domain:

$ acme.sh --issue --dns dns_dgon -d example.com -d *.example.com

Your cert locations:

Your cert is in /home/user/.acme.sh/example.com/example.com.cer
Your cert key is in /home/user/.acme.sh/example.com/example.com.key
The intermediate CA cert is in /home/user/.acme.sh/example.com/ca.cer
And the full chain certs is there: /home/user/.acme.sh/example.com/fullchain.cer

4. (NGINX) Modify your NGINX config to point to the new cert location

I use a snippets folder to point to my ssl cert. Open this location and modify it (replacing example.com with your domain name):

$ sudo nano /etc/nginx/snippets/example.com.conf

Delete the contents of this file and replace with (substitute ‘user’ and ‘example.com’ with appropriate names):

ssl_certificate /home/user/.acme.sh/example.com/fullchain.cer;
ssl_certificate_key /home/user/.acme.sh/example.com/example.com.key;

Ctrl+X, ‘Y’ the enter to save and exit.

Restart nginx:

$ sudo service nginx restart

5. How to force renew the certs

No, you don’t need to renew the certs manually. All the certs will be renewed automatically every 60 days.

However, you can also force to renew a cert:

$ acme.sh --renew -d example.com --force

6. How to stop cert renewal

To stop renewal of a cert, you can execute the following to remove the cert from the renewal list:

$ acme.sh --remove -d example.com [--ecc]

The cert/key file is not removed from the disk.

You can remove the respective directory (e.g. ~/.acme.sh/example.com) by yourself.

7. How to upgrade acme.sh

acme.sh is in constant development, so it’s strongly recommended to use the latest code.

You can update acme.sh to the latest code:

$ acme.sh --upgrade

You can also enable auto upgrade:

$ acme.sh --upgrade --auto-upgrade

Then acme.sh will be kept up to date automatically.

Disable auto upgrade:

acme.sh --upgrade --auto-upgrade 0

REFERENCES

https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578
https://letsencrypt.org/docs/client-options/
https://www.digitalocean.com/help/api/
https://www.digitalocean.com/community/tutorials/how-to-use-the-digitalocean-api-v2
https://github.com/Neilpang/acme.sh
https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert
https://github.com/Neilpang/acme.sh/tree/master/dnsapi

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.