---
title: ACME.SH
visible: true
---

[toc]

## Getting ACME.SH

```sh
git clone https://github.com/acmesh-official/acme.sh.git
cd ./acme.sh
./acme.sh --install -m my@example.com
```

## First time ZeroSSL registration

```sh
.acme.sh/acme.sh --register-account -m (email)
```

## Issue new certificate

Needs root to start a server on port 80

```sh
.acme.sh/acme.sh --issue --standalone -d (url)
```

## Issue new certificate with DNS API

> [Official Documentation](https://github.com/acmesh-official/acme.sh/wiki/dnsapi)

### Gandi

```sh
export GANDI_LIVEDNS_KEY="(api key)"
```

```sh
.acme.sh/acme.sh --issue --dns dns_gandi_livedns -d (domain)
```

## Install certificate

Make sure to create the `/etc/acme-sh/(url)` directory

```sh
export url={URL} \
    && mkdir -p /etc/acme-sh/{$url} \
    && .acme.sh/acme.sh --install-cert -d $url \
        --key-file       /etc/acme-sh/{$url}/key.pem  \
        --fullchain-file /etc/acme-sh/{$url}/cert.pem \
        --reloadcmd     "sudo systemctl restart nginx"
```

## Systems Service & Timer

`/etc/systemd/system/acme-sh.service`

```systemd
[Unit]
Description=Renew certificates using acme.sh
After=network-online.target

[Service]
Type=oneshot
ExecStart=(path to acme.sh) --cron --home (path to acme folder)
User=wiki

SuccessExitStatus=0 2
```

`/etc/systemd/system/acme.timer`

```systemd
[Unit]
Description=Daily renewal of certificates

[Timer]
OnCalendar=daily
RandomizedDelaySec=1h
Persistent=true

[Install]
WantedBy=timers.target
```

Enable timer

```sh
systemctl enable --now acme-sh.timer
```