§2024-11-04

  1. How to install

試作機器: hc4Noble.yushei.net

$ pwd
/home/alexlai/build
# -- depth 1, only the latest will be cloned
$ git clone --depth 1 https://github.com/acmesh-official/acme.sh.git

$ cd acme.sh/
alexlai@hc4Noble:~/build/acme.sh$ git branch
* master
$ ls
acme.sh  deploy  dnsapi  Dockerfile  LICENSE.md  notify  README.md
acmeuser@hc4Noble:~/build/acme.sh$ ./acme.sh --install --email alexlai@yushei.net 
[Mon Nov  4 12:40:01 PM CST 2024] It is recommended to install socat first.
[Mon Nov  4 12:40:01 PM CST 2024] We use socat for the standalone server, which is used for standalone mode.
[Mon Nov  4 12:40:01 PM CST 2024] If you don't want to use standalone mode, you may ignore this warning.
[Mon Nov  4 12:40:01 PM CST 2024] Installing to /home/acmeuser/.acme.sh
[Mon Nov  4 12:40:01 PM CST 2024] Installed to /home/acmeuser/.acme.sh/acme.sh
[Mon Nov  4 12:40:01 PM CST 2024] Installing alias to '/home/acmeuser/.bashrc'
[Mon Nov  4 12:40:01 PM CST 2024] Close and reopen your terminal to start using acme.sh
[Mon Nov  4 12:40:01 PM CST 2024] Installing cron job
no crontab for acmeuser
no crontab for acmeuser
[Mon Nov  4 12:40:01 PM CST 2024] bash has been found. Changing the shebang to use bash as preferred.
[Mon Nov  4 12:40:03 PM CST 2024] OK

The --standalone option in acme.sh is used when you're issuing a certificate without needing a web server running. It allows acme.sh to temporarily spin up a lightweight web server to respond to the Let's Encrypt HTTP challenge.

$ ls -l ~/.acme.sh/
total 256
-rw-rw-r-- 1 acmeuser acmeuser    196 Nov  4 12:40 account.conf
-rwxrwxr-x 1 acmeuser acmeuser 226003 Nov  4 12:40 acme.sh
-rw-rw-r-- 1 acmeuser acmeuser     96 Nov  4 12:40 acme.sh.env
drwxrwxr-x 2 acmeuser acmeuser   4096 Nov  4 12:40 deploy
drwxrwxr-x 2 acmeuser acmeuser   8192 Nov  4 12:40 dnsapi
-rw-rw-r-- 1 acmeuser acmeuser   1305 Nov  4 12:40 http.header
drwxrwxr-x 2 acmeuser acmeuser   4096 Nov  4 12:40 notify

socat is a command-line utility that establishes two bidirectional byte streams and transfers data between them. It can be used for various purposes, including:

. "/home/acmeuser/.acme.sh/acme.sh.env" was added into ~/.bashrc

export LE_WORKING_DIR="/home/acmeuser/.acme.sh"
alias acme.sh="/home/acmeuser/.acme.sh/acme.sh"
$ ls -l ~/.acme.sh/
total 256
-rw-rw-r-- 1 acmeuser acmeuser    196 Nov  4 12:40 account.conf
-rwxrwxr-x 1 acmeuser acmeuser 226003 Nov  4 12:40 acme.sh
-rw-rw-r-- 1 acmeuser acmeuser     96 Nov  4 12:40 acme.sh.env
drwxrwxr-x 2 acmeuser acmeuser   4096 Nov  4 12:40 deploy
drwxrwxr-x 2 acmeuser acmeuser   8192 Nov  4 12:40 dnsapi
-rw-rw-r-- 1 acmeuser acmeuser   1305 Nov  4 12:40 http.header
drwxrwxr-x 2 acmeuser acmeuser   4096 Nov  4 12:40 notify
  1. install certificate
$ mkdir ~/certs
./acme.sh --install-cert -d hc4Noble.yushei.net \
--key-file ~/certs/keyfile.key \
--fullchain-file ~/certs/fullchain.pem
  1. Advanced installation example
git clone --depth 1 https://github.com/acmesh-official/acme.sh.git
cd acme.sh
alexlai@hc4Noble:~/build/acme.sh$ ./acme.sh --install  \
--home ~/myacme \
--config-home ~/myacme/data \
--cert-home  ~/mycerts \
--accountemail  "my@example.com" \
--accountkey  ~/myaccount.key \
--accountconf ~/myaccount.conf \
--useragent  "this is my client."
[Mon Nov  4 10:50:37 AM CST 2024] It is recommended to install socat first.
[Mon Nov  4 10:50:37 AM CST 2024] We use socat for the standalone server, which is used for standalone mode.
[Mon Nov  4 10:50:37 AM CST 2024] If you don't want to use standalone mode, you may ignore this warning.
[Mon Nov  4 10:50:37 AM CST 2024] Installing to /home/alexlai/myacme
[Mon Nov  4 10:50:37 AM CST 2024] Installed to /home/alexlai/myacme/acme.sh
[Mon Nov  4 10:50:37 AM CST 2024] Installing alias to '/home/alexlai/.bashrc'
[Mon Nov  4 10:50:37 AM CST 2024] Close and reopen your terminal to start using acme.sh
[Mon Nov  4 10:50:37 AM CST 2024] Installing cron job
no crontab for alexlai
no crontab for alexlai
[Mon Nov  4 10:50:37 AM CST 2024] bash has been found. Changing the shebang to use bash as preferred.
[Mon Nov  4 10:50:40 AM CST 2024] OK
alexlai@hc4Noble:~/build/acme.sh$ ls ~/myac
myaccount.conf  myacme/         
alexlai@hc4Noble:~/build/acme.sh$ ls ~/myacme/
acme.sh  acme.sh.env  data  deploy  dnsapi  notify

 cat myaccount.conf 


#LOG_FILE="/home/alexlai/myacme/data/acme.sh.log"
#LOG_LEVEL=1

#AUTO_UPGRADE="1"

#NO_TIMESTAMP=1

    
CERT_HOME='/home/alexlai/mycerts'
ACCOUNT_KEY_PATH='/home/alexlai/myaccount.key'
ACCOUNT_EMAIL='my@example.com'
UPGRADE_HASH='d4b8f9700b1a885a73086b33df91f04732cc0878'
USER_AGENT='this is my client.'
alexlai@hc4Noble:~$ crontab -l
37 2 * * * "/home/alexlai/myacme"/acme.sh --cron --home "/home/alexlai/myacme" --config-home "/home/alexlai/myacme/data" > /dev/null

./acme.sh --install
--home ~/acmeHome \ # where to stroe acme.sh --config-home ~/myacme/data
--cert-home ~/mycerts
--accountemail "my@example.com"
--accountkey ~/myaccount.key
--accountconf ~/myaccount.conf
--useragent "this is my client."


You don't need to set them all, just set those ones you care about.

Explanations :

--home is a customized dir to install acme.sh in. By default, it installs into ~/.acme.sh
--config-home is a writable folder, acme.sh will write all the files(including cert/keys, configs) there. By default, it's in --home
--cert-home is a customized dir to save the certs you issue. By default, it's saved in --config-home.
--accountemail is the email used to register an account to Let's Encrypt, you will receive a renewal notice email here.
--accountkey is the file saving your account private key. By default, it's saved in --config-home.
--useragent is the user-agent header value used to send to Let's Encrypt.
--nocron install acme.sh without cronjob


---

To generate your own private key and SSL certificate using acme.sh, follow these steps:

1. Install acme.sh
First, you'll need to install acme.sh. You can do this by running the following command in your terminal:

bash
Copy code
curl https://get.acme.sh | sh
This script will download and install acme.sh in your home directory.

2. Set Up Your Domain
Before generating a certificate, ensure you have control over the domain for which you want to issue a certificate.

3. Generate the SSL Certificate
To generate an SSL certificate, use the following command. Replace example.com with your domain:

bash
Copy code
acme.sh --issue -d example.com --standalone
--issue: Command to request a certificate.
-d example.com: Specifies the domain for which to issue the certificate.
--standalone: Uses a standalone web server for verification (make sure no other service is running on port 80).
4. Install the Certificate
Once the certificate is issued, you can install it using:

bash
Copy code
acme.sh --install-cert -d example.com \
--key-file /path/to/your/private.key \
--fullchain-file /path/to/your/fullchain.cer \
--reloadcmd "systemctl reload nginx"  # Change to your web server's reload command
--key-file: Specify where to save the private key.
--fullchain-file: Specify where to save the full certificate chain.
--reloadcmd: Command to reload your web server after installation (change nginx to apache2 or whatever you are using if necessary).
5. Automate Renewal
acme.sh automatically sets up a cron job for you to renew certificates. You can check your installed certificates and their expiration dates with:

bash
Copy code
acme.sh --list
6. (Optional) Advanced Options
DNS Validation: If you want to use DNS validation (recommended for wildcard certificates), you can use:

bash
Copy code
acme.sh --issue -d "*.example.com" --dns dns_provider
Replace dns_provider with the appropriate DNS API provider (like dns_Cloudflare, dns_DigitalOcean, etc.).

Conclusion
That's it! You've now generated your own SSL certificate using acme.sh. Make sure to monitor the expiration dates and keep your certificates up to date. If you need any more specific details or assistance, let me know!



$ acme.sh --register-account -m alexlai@yushei.net
[Mon Nov  4 03:06:54 PM CST 2024] No EAB credentials found for ZeroSSL, let's get one
[Mon Nov  4 03:06:55 PM CST 2024] Registering account: https://acme.zerossl.com/v2/DV90
[Mon Nov  4 03:06:57 PM CST 2024] Registered
[Mon Nov  4 03:06:57 PM CST 2024] ACCOUNT_THUMBPRINT='6bt3d4v9BA7aGdJ21Jh3aOnAafn7aFiCBClbthsvP58'