Using acme.sh to generate SSL certificates

Although the standard Letsencrypt process “cerbot” is very easy and runs well on a webserver, sometimes you want to generate certiicates on a old server or a vm not running a web server. This scripot runs well on an old Ubuntu 10.04 vm I have at home.

First get the script –

git clone https://github.com/acmesh-official/acme.sh.git

You might be best to install that on your machine usingh git then copying it over to the machine needing to generate the SSL certificates.

Now move it to a sensible place

cd acme.sh/

mv acme.sh /usr/local/bin

Install a required program

apt-get install socat

This needs done on the machine running the acme script so that obviously that commamnd only works on debian/ubuntu! Other distro’s install socat their own way

Also create a directory for the acme certificates to go. I suggest –

mkdir /etc/acme

To create the first certificates stop your web server (if running) e.g.

/etc/init.d/apache2 stop

Now rub acme.sh for the first time.

acme.sh –issue –standalone –home /etc/acme -d HOSTNAME.org.uk

or if there are multiple addresses for the one domain –

acme.sh –issue –standalone –home /etc/acme -d HOSTNAME.org.uk -d
www.HOSTNAME.org.uk

or even

acme.sh –issue –standalone –home /etc/acme -d HOSTNAME -d
mail.HOSTNAME -d otherservice.HOSTNAME

The —issue asks for a certificate on that domain and –standalone starts a simple server listening on port 80. The –home tells acme.sh to start the certificates under /etc/acme.

NOTE: see the end about using the –staging parameter.

It will create a bunch of directories under /etc/acme

The SSLCertificateFile

/etc/acme/hostname/hostname.cer

The SSLCertificateKeyFile

/etc/acme/hostname/hostname.key

and the SSLCertificateChainFile

/etc/acme/hostname/fullchain.cer

Now start the web server again. Eg –

/etc/init.d/apache2 start

You will want to run this script one a week or so

/usr/local/bin/acme.sh –home /etc/acme –cron

You can run it now to test it without causing any problems.

Something you might like to use the first time (OK a bit late now!) is the “–staging” parameter whe you create your domain certificate. This uses the staging server and allows you to try the service out without issue. If you issue certificates too many times LE will ban your connection for a while. If you are just testing it USE THIS!