125 lines
1.8 KiB
Markdown
125 lines
1.8 KiB
Markdown
---
|
|
title: ACME.SH
|
|
visible: true
|
|
---
|
|
|
|
[toc]
|
|
|
|
## Getting ACME.SH
|
|
|
|
[shuser]
|
|
|
|
```sh
|
|
git clone https://github.com/acmesh-official/acme.sh.git
|
|
cd ./acme.sh
|
|
./acme.sh --install -m [EMAIL]
|
|
```
|
|
|
|
[/shuser]
|
|
|
|
## First time ZeroSSL registration
|
|
|
|
[shuser]
|
|
|
|
```sh
|
|
.acme.sh/acme.sh --register-account -m [EMAIL]
|
|
```
|
|
|
|
[/shuser]
|
|
|
|
## Issue new certificate
|
|
|
|
Needs root to start a server on port 80
|
|
|
|
[shroot]
|
|
|
|
```sh
|
|
.acme.sh/acme.sh --issue --standalone -d [DOMAIN]
|
|
```
|
|
|
|
[/shroot]
|
|
|
|
## Issue new certificate with DNS API
|
|
|
|
> [Official Documentation](https://github.com/acmesh-official/acme.sh/wiki/dnsapi)
|
|
|
|
### Gandi
|
|
|
|
Create a personal access token with permissions to "Manage domain name technical configurations"
|
|
|
|
[shuser]
|
|
|
|
```sh
|
|
export GANDI_LIVEDNS_TOKEN="[Personal Access Token]"
|
|
```
|
|
|
|
[/shuser]
|
|
|
|
**Warning: `export GANDI_LIVEDNS_KEY="[API KEY]"` is deprecated**
|
|
|
|
[shuser]
|
|
|
|
```sh
|
|
.acme.sh/acme.sh --issue --dns dns_gandi_livedns -d [DOMAIN]
|
|
```
|
|
|
|
[/shuser]
|
|
|
|
## Install certificate
|
|
|
|
Make sure to create the `/etc/acme-sh/(url)` directory
|
|
|
|
[shuser]
|
|
|
|
```sh
|
|
export url=[URL] \
|
|
&& mkdir -p /etc/acme-sh/{$url} \
|
|
&& .acme.sh/acme.sh --install-cert -d $url \
|
|
--key-file /etc/acme-sh/{$url}/key.pem \
|
|
--fullchain-file /etc/acme-sh/{$url}/cert.pem \
|
|
--reloadcmd "sudo systemctl restart nginx"
|
|
```
|
|
|
|
[/shuser]
|
|
|
|
## Systems Service & Timer
|
|
|
|
`/etc/systemd/system/acme-sh.service`
|
|
|
|
```systemd
|
|
[Unit]
|
|
Description=Renew certificates using acme.sh
|
|
After=network-online.target
|
|
|
|
[Service]
|
|
Type=oneshot
|
|
ExecStart=(path to acme.sh) --cron --home (path to acme folder)
|
|
User=wiki
|
|
|
|
SuccessExitStatus=0 2
|
|
```
|
|
|
|
`/etc/systemd/system/acme-sh.timer`
|
|
|
|
```systemd
|
|
[Unit]
|
|
Description=Daily renewal of certificates
|
|
|
|
[Timer]
|
|
OnCalendar=daily
|
|
RandomizedDelaySec=1h
|
|
Persistent=true
|
|
|
|
[Install]
|
|
WantedBy=timers.target
|
|
```
|
|
|
|
Enable timer
|
|
[shroot]
|
|
|
|
```sh
|
|
systemctl enable --now acme-sh.timer
|
|
```
|
|
|
|
[/shroot]
|