Automatically update SSL certificates using acme.sh script.
See: acme.sh on GitHub
Note: As a precaution do NOT run this script as root but create a (system-)user
which has no access to secure resources.
Using the acme provided script directly.
wget -O - https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh | sh -s -- --install-online -m my@example.com
Just clone it to check first what is executed.
git clone https://github.com/acmesh-official/acme.sh
cd acme.sh
./acme.sh --install
An alias acme.sh to /home/sites/.acme.sh/acme.sh is created when installed.
User where the script is installed here is sites.
Also, a cron entry is added to update all the certificates when expired.
39 0 * * * "/home/sites/.acme.sh"/acme.sh --cron --home "/home/sites/.acme.sh" > /dev/null
Note: The given webroot of the domain must be available from a webserver using
thehttp://protocol in order for ACME to validate the domain ownership.
acme.sh --issue \
--domain www.scanframe.com \
--webroot /home/sites/apps/websrv/www \
--server letsencrypt
Is already done automatically by the created cronjob. But it can be forced by adding --force.
acme.sh --renew \
--domain www.scanframe.com \
--webroot /home/sites/apps/websrv/www \
--server letsencrypt
Is already done automatically by the cronjob when it is to be expired.
acme.sh --renew-all
This should be done from a cron job to generate the needed .
DOMAIN="www.scanframe.com" \
acme.sh --install-cert \
--domain "${DOMAIN}" \
--cert-file "ssl-cert/${DOMAIN}-cert.pem" \
--key-file "ssl-cert/${DOMAIN}-key.pem" \
--fullchain-file "ssl-cert/${DOMAIN}-letsencrypt.pem"
Creating a .pfx file of the certificate having a password.
# Create PKCS single file of all parts with a password.
openssl pkcs12 -export \
-out "${SSL_DIR}/${DOMAIN}.pfx" \
-inkey "${SSL_DIR}/${DOMAIN}-key.pem" \
-in "${SSL_DIR}/${DOMAIN}-cert.pem" \
-certfile "${SSL_DIR}/${DOMAIN}-letsencrypt.pem" \
-password pass:your-password