Wildcard Certificates with acme.sh: Difference between revisions
Jump to navigation
Jump to search
Line 28: | Line 28: | ||
== Install the certs for nginx == | == Install the certs for nginx == | ||
The following command will install the certs for nginx, assuming there is a <code>/etc/nginx/certs/</code> directory. Should be set and forget. | |||
acme.sh --install-cert -d lurk.org -d *.lurk.org --key-file /etc/nginx/certs/key.pem --fullchain-file /etc/nginx/certs/cert.pem --reloadcmd "systemctl force-reload nginx" | acme.sh --install-cert -d lurk.org -d *.lurk.org --key-file /etc/nginx/certs/key.pem --fullchain-file /etc/nginx/certs/cert.pem --reloadcmd "systemctl force-reload nginx" | ||
Revision as of 22:55, 12 October 2024
acme.sh
is a lightweight shell script based tool to handle Let's Encrypt certificates, etc.
Install the bash script
wget https://get.acme.sh
As root:
sh acme.sh
This will install the script to /root/.acme
and add it to path by sourcing a script from root's .bashrc
Request a wildcard cert for lurk.org
We use wildcard certificates with DNS authentification, and we use the DNS server of our registrar, porkbun. It's not great (terrible UI for DNS editing), but it's cheap. Porkbun DNS support was added in recent versions of acme.sh
. To make it work, we first need to find our Porkbun API keys and use them to set the following environment variables in root's .bashrc
:
export PORKBUN_API_KEY="..." export PORKBUN_SECRET_API_KEY="..."
When ready and reloaded:
acme.sh --issue --dns dns_porkbun -d lurk.org -d *.lurk.org
result:
- cert is in:
/root/.acme.sh/lurk.org_ecc/lurk.org.cer
- cert key is in:
/root/.acme.sh/lurk.org_ecc/lurk.org.key
- intermediate CA cert is in:
/root/.acme.sh/lurk.org_ecc/ca.cer
- full-chain cert is in:
/root/.acme.sh/lurk.org_ecc/fullchain.cer
Install the certs for nginx
The following command will install the certs for nginx, assuming there is a /etc/nginx/certs/
directory. Should be set and forget.
acme.sh --install-cert -d lurk.org -d *.lurk.org --key-file /etc/nginx/certs/key.pem --fullchain-file /etc/nginx/certs/cert.pem --reloadcmd "systemctl force-reload nginx"