I’ve had my head in the Certbot world a lot recently. A few weeks back I wrote about writing a Certbot Python Installer plugin for cPanel. Now I’m implementing acme.sh for a new project. The driver behind using acme.sh was not being able to install the full Certbot application in this environment.

If you haven’t heard of acme.sh it boasts the following:

  • Support for 5 different CA’s (ZeroSSL.com being the default)
  • Support for acme challenge and dns-01
  • A large list of DNS providers
  • Support for wildcard certificates!
  • Standard support for Apache and Nginx installers
  • Additional installer options: Docker, cPanel, Consul, Dovecot, Exim, MySQL, SSH …
  • You do not require root/sudoer access
  • Automatically run via cron to ensure your certs are updated

If your DNS provider isn’t in the list the team are open to PR’s.

Getting up and running

Install and configure acme.sh

curl https://get.acme.sh | sh
source ~/.bashrc
acme.sh --register-account --accountemail [email protected]

Confirm that the cron job is configured

crontab -l | grep acme.sh

Obtaining certificates for your domain(s)

acme.sh --issue --webroot ~/public_html -d example.com -d www.example.com --force
Optionally include "-d domain" to include additional SAN's

Installing certificates to a cPanel hosted website

acme.sh --deploy --deploy-hook cpanel_uapi --domain example.com

Installing certificate for custom services

acme.sh --install-cert -d example.com \
--key-file /etc/ssl/certs/key.pem \
--fullchain-file /etc/ssl/certs/cert.pem \
--reloadcmd "service nginx force-reload"

Stop a domain from automatically renewing its certificate

acme.sh --remove -d example.com

Update acme.sh

acme.sh --upgrade [--auto-upgrade]

While testing I hit rate-limits with Let’s Encrypt which were avoided with ZeroSSL. ZeroSSL have provide a comparison of them vs Let’s Encrypt.