Issue an SSL/TLS certificate using acme.sh
From July 1, 2018, Chrome shows all sites that do not use SSL certificates as "not secure", while sites with SSL certificates receive a boost in weight ranking. In fact, it is easy to issue, install, and renew an SSL/TLS certificate. All needed are a virtual private server (VPS) and a domain name pointing to this server's IP. In this article, I'm going to show how to acquire an SSL cert using acme.
Acquire the cert
First, we need to install acme.sh
and create a symlink using ln
.
curl https://get.acme.sh | sh
ln -s /root/.acme.sh/acme.sh /usr/local/bin/acme.sh
Then, register an account using your email.
acme.sh --register-account -m [email protected]
Here comes the selection of the cert authority. The default cert authority changed from Let's Encrypt to ZeroSSL after the acquisition of acme, which has been criticized by many. The cert authority can be change as follows.
# change to buypass
acme.sh --set-default-ca --server buypass
# change to letsencrypt
acme.sh --set-default-ca --server letsencrypt
Next, let's issue the SSL cert. The yourdomain.com
in the follows should be replaced with your domain name.
acme.sh --issue -d yourdomain.com -k ec-256 --webroot /var/www/html
# specify a port
acme.sh --issue -d yourdomain.com -k ec-256 --webroot /var/www/html --tlsport 14514
Finally, install the cert into the specified dir as follows. The file_dir
in the follows should be replaced with your specified dir.
acme.sh --install-cert -d yourdomain.com --ecc \
--key-file file_dir/server.key \
--fullchain-file file_dir/server.crt \
--reloadcmd "systemctl force-reload nginx"
Renew the cert
acme.sh
renews the cert automatically every 60 days. If you want to renew it manually or check the expired date of your cert, run as follows.
acme.sh --cron
By HTTPS protocol, communication with this domain name is secured. However, it can only be used for a single subdomain. In the future, I will explain how to obtain a Wildcard SSL Certificate to secure multiple subdomain names (hosts) under the same base domain.
Update: The article about how to issue a wildcard cert has been uploaded here.
A test comment 💦
A test comment for a comment 💦
A test comment for a test comment