acme.sh - Obtain Let's Encrypt certificate for Nginx vhost
My test platform: Debian 9.9
Requirements: user with root privileges or non-root user with sudo privileges.
acme.sh installation
$ sudo su - root
git clone https://github.com/Neilpang/acme.sh.git
cd acme.sh
./acme.sh --install --accountemail your_email@yourdomain.com
source ~/.bashrc
cd ~
acme.sh --version
Obtain RSA and ECC/ECDSA certificates for your domain/hostname:
# RSA 2048
acme.sh --issue --standalone -d yourdomain.com --keylength 2048
# ECDSA
acme.sh --issue --standalone -d yourdomain.com --keylength ec-256
After running the above commands, your certificates and keys will be in:
- RSA: /home/username/yourdomain.com directory.
- ECC/ECDSA: /home/username/yourdomain.com_ecc directory.
To view the issued certificates, run:
acme.sh --list
Create a directory to store your certs:
mkdir -p /etc/letsecnrypt/yourdomain.com
mkdir -p /etc/letsencrypt/yourdomain.com_ecc
Install/copy the certificates to the /etc/letsencrypt directory (example with the Nginx http server):
# RSA
acme.sh --install-cert -d yourdomain.com --cert-file /etc/letsencrypt/yourdomain.com/cert.pem \
--key-file /etc/letsencrypt/yourdomain.com/private.key --fullchain-file /etc/letsencrypt/yourdomain.com/fullchain.pem \
--reloadcmd "sudo systemctl reload nginx.service"
# ECC/ECDSA
acme.sh --install-cert -d yourdomain.com --ecc --cert-file /etc/letsencrypt/yourdomain.com_ecc/cert.pem \
--key-file /etc/letsencrypt/yourdomain.com_ecc/private.key --fullchain-file /etc/letsencrypt/yourdomain.com_ecc/fullchain.pem \
--reloadcmd "sudo systemctl reload nginx.service"
# return back to normal user
exit
All the certificates will be automatically renewed every 60 days.