I’ve had my head in the Certbot world a lot recently. A few weeks back I wrote about writing a Certbot Python Installer plugin for cPanel. Now I’m implementing acme.sh for a new project. The driver behind using acme.sh was not being able to install the full Certbot application in this environment.
If you haven’t heard of acme.sh it boasts the following:
- Support for 5 different CA’s (ZeroSSL.com being the default)
- Support for acme challenge and dns-01
- A large list of DNS providers
- Support for wildcard certificates!
- Standard support for Apache and Nginx installers
- Additional installer options: Docker, cPanel, Consul, Dovecot, Exim, MySQL, SSH …
- You do not require root/sudoer access
- Automatically run via cron to ensure your certs are updated
If your DNS provider isn’t in the list the team are open to PR’s.
Getting up and running
Install and configure acme.sh
curl https://get.acme.sh | sh source ~/.bashrc acme.sh --register-account --accountemail [email protected]
Confirm that the cron job is configured
crontab -l | grep acme.sh
Obtaining certificates for your domain(s)
acme.sh --issue --webroot ~/public_html -d example.com -d www.example.com --force
Optionally include "-d domain" to include additional SAN's
Installing certificates to a cPanel hosted website
acme.sh --deploy --deploy-hook cpanel_uapi --domain example.com
Installing certificate for custom services
acme.sh --install-cert -d example.com \ --key-file /etc/ssl/certs/key.pem \ --fullchain-file /etc/ssl/certs/cert.pem \ --reloadcmd "service nginx force-reload"
Stop a domain from automatically renewing its certificate
acme.sh --remove -d example.com
acme.sh --upgrade [--auto-upgrade]
While testing I hit rate-limits with Let’s Encrypt which were avoided with ZeroSSL. ZeroSSL have provide a comparison of them vs Let’s Encrypt.