From July 1, 2018, Chrome shows all sites that do not use SSL certificates as "not secure", while sites with SSL certificates receive a boost in weight ranking. In fact, it is easy to issue, install, and renew an SSL/TLS certificate. All needed are a virtual private server (VPS) and a domain name pointing to this server's IP. In this article, I'm going to show how to acquire an SSL cert using acme.

Acquire the cert

First, we need to install acme.sh and create a symlink using ln.

curl https://get.acme.sh | sh
ln -s  /root/.acme.sh/acme.sh /usr/local/bin/acme.sh

Then, register an account using your email.

acme.sh --register-account -m [email protected]

Here comes the selection of the cert authority. The default cert authority changed from Let's Encrypt to ZeroSSL after the acquisition of acme, which has been criticized by many. The cert authority can be change as follows.

# change to buypass
acme.sh --set-default-ca --server buypass
# change to letsencrypt
acme.sh --set-default-ca --server letsencrypt

Next, let's issue the SSL cert. The yourdomain.com in the follows should be replaced with your domain name.

acme.sh  --issue -d yourdomain.com -k ec-256 --webroot /var/www/html
# specify a port
acme.sh  --issue -d yourdomain.com -k ec-256 --webroot /var/www/html --tlsport 14514

Finally, install the cert into the specified dir as follows. The file_dir in the follows should be replaced with your specified dir.

acme.sh --install-cert -d yourdomain.com --ecc \
--key-file       file_dir/server.key \
--fullchain-file file_dir/server.crt \
--reloadcmd      "systemctl force-reload nginx"

Renew the cert

acme.sh renews the cert automatically every 60 days. If you want to renew it manually or check the expired date of your cert, run as follows.

acme.sh --cron

cron_example

By HTTPS protocol, communication with this domain name is secured. However, it can only be used for a single subdomain. In the future, I will explain how to obtain a Wildcard SSL Certificate to secure multiple subdomain names (hosts) under the same base domain.

Update: The article about how to issue a wildcard cert has been uploaded here.

Outline