--- title: ACME.SH visible: true --- [toc] ## Getting ACME.SH ```sh $ git clone https://github.com/acmesh-official/acme.sh.git $ cd ./acme.sh $ ./acme.sh --install -m my@example.com ``` ## First time ZeroSSL registration `$ (path to)/acme.sh --register-account -m (email)` ## Issue new certificate Needs root to start a server on port 80 `# (path to)/acme.sh --issue --standalone -d (url)` ## Issue new certificate with DNS API > [Official Documentation](https://github.com/acmesh-official/acme.sh/wiki/dnsapi) ### Gandi `export GANDI_LIVEDNS_KEY="(api key)"` `(path to)/acme.sh --issue --dns dns_gandi_livedns -d (domain)` ## Install certificate Make sure to create the `/etc/acme-sh/(url)` directory ```sh $ export url=woodpecker.exu.li \ && mkdir -p /etc/acme-sh/{$url} \ && .acme.sh/acme.sh --install-cert -d $url \ --key-file /etc/acme-sh/{$url}/key.pem \ --fullchain-file /etc/acme-sh/{$url}/cert.pem \ --reloadcmd "sudo systemctl restart nginx" ``` ## Systems Service & Timer `/etc/systemd/system/acme-sh.service` ```systemd [Unit] Description=Renew certificates using acme.sh After=network-online.target [Service] Type=oneshot ExecStart=(path to acme.sh) --cron --home (path to acme folder) User=wiki SuccessExitStatus=0 2 ``` `/etc/systemd/system/acme.timer` ```systemd [Unit] Description=Daily renewal of certificates [Timer] OnCalendar=daily RandomizedDelaySec=1h Persistent=true [Install] WantedBy=timers.target ``` Enable timer `systemctl enable --now acme-sh.timer`