Select Page

How to Issue and Auto-Renew a Let’s Encrypt Wildcard SSL Certificate with Acme.sh
December 18, 2019
How to Issue and Auto-Renew a Let’s Encrypt Wildcard SSL Certificate with Acme.sh

Let's Encrypt is a non-profit certificate authority run by Internet Security Research Group (ISRG) that provides X.509 certificates for Transport Layer Security (TLS) encryption at no charge. The certificate is valid for 90 days, during which renewal can take place at any time. The offer is accompanied by an automated process designed to overcome manual creation, validation, signing, installation, and renewal of certificates for secure websites.

In this article we will see how to issue and auto-renew a wildcard SSL certificate with Cloudflare DNS API.

Step 1 - Install Acme.sh

wget -O -  https://get.acme.sh | sh

Step 2 - Issue a Wildcard SSL Certificate with Cloudflare DNS API

To add your Cloudflare API keys (available in your cloudflare dashboard > My Profile > API Tokens)

export CF_Key="your cloudflare api key"
export CF_Email="your cloudflare email"
acme.sh --issue -d jackiesung.com -d *.jackiesung.com --dns dns_cf

If you want to use ECDSA certificate with 384 bits keys, you can do

acme.sh --issue -d jackiesung.com -d *.jackiesung.com --dns dns_cf -k ec-384

You won't have to add DNS records or to run another command to issue your certificate. Acme.sh will automatically add the DNS records needed for the acme-challenge, then it will wait 120 seconds before launching the validation. If everything is okay, acme.sh will issue your wildcard certificate and cleanup validation DNS records.

You shall see something like this

[email protected]: ~# acme.sh --issue -d jackiesung.com -d *.jackiesung.com --dns dns_cf -k ec-384
[jackiesung 2019, 14:58:08 (UTC+0100)] Multi domain='DNS:jackiesung.com,DNS:*.jackiesung.com'
[jackiesung 2019, 14:58:08 (UTC+0100)] Getting domain auth token for each domain
[jackiesung 2019, 14:58:10 (UTC+0100)] Getting webroot for domain='jackiesung.com'
[jackiesung 2019, 14:58:10 (UTC+0100)] Getting webroot for domain='*.jackiesung.com'
[jackiesung 2019, 14:58:10 (UTC+0100)] Found domain api file: /root/.acme.sh/dnsapi/dns_cf.sh
[jackiesung 2019, 14:58:12 (UTC+0100)] Adding record
[jackiesung 2019, 14:58:12 (UTC+0100)] Added, OK
[jackiesung 2019, 14:58:12 (UTC+0100)] Sleep 120 seconds for the txt records to take effect
[jackiesung 2019, 15:00:14 (UTC+0100)] jackiesung.com is already verified, skip dns-01.
[jackiesung 2019, 15:00:14 (UTC+0100)] Verifying:*.jackiesung.com
[jackiesung 2019, 15:00:17 (UTC+0100)] Pending
[jackiesung 2019, 15:00:19 (UTC+0100)] Success
[jackiesung 2019, 15:00:19 (UTC+0100)] Removing DNS records.
[jackiesung 2019, 15:00:20 (UTC+0100)] Verify finished, start to sign.
[jackiesung 2019, 15:00:22 (UTC+0100)] Cert success.
[jackiesung 2019, 15:00:22 (UTC+0100)] Your cert is in  /root/.acme.sh/jackiesung.com_ecc/jackiesung.com.cer
[jackiesung 2019, 15:00:22 (UTC+0100)] Your cert key is in  /root/.acme.sh/jackiesung.com_ecc/jackiesung.com.key
[jackiesung 2019, 15:00:22 (UTC+0100)] The intermediate CA cert is in  /root/.acme.sh/jackiesung.com_ecc/ca.cer
[jackiesung 2019, 15:00:22 (UTC+0100)] And the full chain certs is there:  /root/.acme.sh/jackiesung.com_ecc/fullchain.cer

The last step is to add your wildcard certificate in your nginx configuration

ssl_certificate /etc/letsencrypt/jackiesung.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/jackiesung.com/key.pem;

Copyright Statement: Original Article of This Site

By Jackie Sung

Jackie Sung, also known by his nick-name KK, always strives for the best and learn from the best. Working and living as a Freelance Web Engineer/ Web Developer & Designer/ Amateur Youtuber/ Husky Lover.

Related Articles

How To Install and Configure Proxmox VE on Hetzner Server

How To Install and Configure Proxmox VE on Hetzner Server

Proxmox VE is a complete open-source platform for enterprise virtualization. With the built-in web interface you can easily manage VMs and containers, software-defined storage and networking, high-availability clustering, and multiple out-of-the-box tools on a single solution.

read more

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Pin It on Pinterest

Share This