wiki-grav/pages/02.linux/acme-sh/default.en.md

125 lines
1.8 KiB
Markdown

---
title: ACME.SH
visible: true
---
[toc]
## Getting ACME.SH
[shuser]
```sh
git clone https://github.com/acmesh-official/acme.sh.git
cd ./acme.sh
./acme.sh --install -m [EMAIL]
```
[/shuser]
## First time ZeroSSL registration
[shuser]
```sh
.acme.sh/acme.sh --register-account -m [EMAIL]
```
[/shuser]
## Issue new certificate
Needs root to start a server on port 80
[shroot]
```sh
.acme.sh/acme.sh --issue --standalone -d [DOMAIN]
```
[/shroot]
## Issue new certificate with DNS API
> [Official Documentation](https://github.com/acmesh-official/acme.sh/wiki/dnsapi)
### Gandi
Create a personal access token with permissions to "Manage domain name technical configurations"
[shuser]
```sh
export GANDI_LIVEDNS_TOKEN="[Personal Access Token]"
```
[/shuser]
**Warning: `export GANDI_LIVEDNS_KEY="[API KEY]"` is deprecated**
[shuser]
```sh
.acme.sh/acme.sh --issue --dns dns_gandi_livedns -d [DOMAIN]
```
[/shuser]
## Install certificate
Make sure to create the `/etc/acme-sh/(url)` directory
[shuser]
```sh
export url=[URL] \
&& mkdir -p /etc/acme-sh/{$url} \
&& .acme.sh/acme.sh --install-cert -d $url \
--key-file /etc/acme-sh/{$url}/key.pem \
--fullchain-file /etc/acme-sh/{$url}/cert.pem \
--reloadcmd "sudo systemctl restart nginx"
```
[/shuser]
## Systems Service & Timer
`/etc/systemd/system/acme-sh.service`
```systemd
[Unit]
Description=Renew certificates using acme.sh
After=network-online.target
[Service]
Type=oneshot
ExecStart=(path to acme.sh) --cron --home (path to acme folder)
User=wiki
SuccessExitStatus=0 2
```
`/etc/systemd/system/acme-sh.timer`
```systemd
[Unit]
Description=Daily renewal of certificates
[Timer]
OnCalendar=daily
RandomizedDelaySec=1h
Persistent=true
[Install]
WantedBy=timers.target
```
Enable timer
[shroot]
```sh
systemctl enable --now acme-sh.timer
```
[/shroot]