I will be using the Lets Encrypt ACME v2 Client acme.sh to issue LetsEncrypt wildcard certificates. I will also be using a DigitalOcean server. You can find an additional list of other compatible clients here. You don’t need to renew the certs manually. All the certs will be renewed automatically every 60 days.
1. Install the ACME shell script online
$ curl https://get.acme.sh | sh
After the installation, you must close the current terminal and reopen it.
The installer will perform 3 actions:
- Create and copy acme.sh to your home dir ($HOME): ~/.acme.sh/. All certs will be placed in this
- Create alias for: acme.sh=~/.acme.sh/acme.sh.
- Create daily cron job to check and renew the certs if needed.
Cron entry example:
0 0 * * * "/home/user/.acme.sh"/acme.sh --cron --home "/home/user/.acme.sh" > /dev/null
2. Use DigitalOcean API (native)
You need to obtain a read and write capable API key from your DigitalOcean account. See: https://www.digitalocean.com/community/tutorials/how-to-use-the-digitalocean-api-v2
Replace with the correct access token you got from DigitalOcean:
$ export DO_API_KEY="75310dc4ca... ..."
3. Issue Cert with wilcard domain:
$ acme.sh --issue --dns dns_dgon -d example.com -d *.example.com
Your cert locations:
Your cert is in /home/user/.acme.sh/example.com/example.com.cer
Your cert key is in /home/user/.acme.sh/example.com/example.com.key
The intermediate CA cert is in /home/user/.acme.sh/example.com/ca.cer
And the full chain certs is there: /home/user/.acme.sh/example.com/fullchain.cer
4. (NGINX) Modify your NGINX config to point to the new cert location
I use a snippets folder to point to my ssl cert. Open this location and modify it (replacing example.com with your domain name):
$ sudo nano /etc/nginx/snippets/example.com.conf
Delete the contents of this file and replace with (substitute ‘user’ and ‘example.com’ with appropriate names):
ssl_certificate /home/user/.acme.sh/example.com/fullchain.cer; ssl_certificate_key /home/user/.acme.sh/example.com/example.com.key;
Ctrl+X, ‘Y’ the enter to save and exit.
$ sudo service nginx restart
5. How to force renew the certs
No, you don’t need to renew the certs manually. All the certs will be renewed automatically every 60 days.
However, you can also force to renew a cert:
$ acme.sh --renew -d example.com --force
6. How to stop cert renewal
To stop renewal of a cert, you can execute the following to remove the cert from the renewal list:
$ acme.sh --remove -d example.com [--ecc]
The cert/key file is not removed from the disk.
You can remove the respective directory (e.g. ~/.acme.sh/example.com) by yourself.
7. How to upgrade acme.sh
acme.sh is in constant development, so it’s strongly recommended to use the latest code.
You can update acme.sh to the latest code:
$ acme.sh --upgrade
You can also enable auto upgrade:
$ acme.sh --upgrade --auto-upgrade
Then acme.sh will be kept up to date automatically.
Disable auto upgrade:
acme.sh --upgrade --auto-upgrade 0