Skip to content

Acme.sh

Should you wish to migrate from Certbot to Acme.sh (I personally prefer Acme.sh these days):

Revoking and Deleting Certbot Certificate

First comment out the certificate lines in the Nginx config file then reload Nginx.

Find the name of the most recent certificate. Eg, for my domain of example.com:

sudo ls -la /etc/letsencrypt/live/example.com

The files here will be links. Make a note of the file that it links to. In my case, it links to a file called cert6.pem

Revoke with the following command. It will also ask if you want to delete. Select yes.

sudo certbot revoke --cert-path /etc/letsencrypt/archive/example.com/cert6.pem

Installing acme.sh

Change to root with:

sudo su -

And install acme.sh with:

curl https://get.acme.sh | sh

To upgrade acme.sh:

~/.acme.sh/acme.sh --upgrade

Setting up the DNS API

This allows you to use DNS verification when issuing certificates.

Make sure you are still root.

Create the key and email variables that relate to your Cloudflare account. When a certificate is ussued afterwards, these credentials are automatically written to a file an will be used automatically in future.

The token is usually within the DNS providers web console. The instructions vary from provider to provider but the instructions for them all can be found at https://github.com/acmesh-official/acme.sh/wiki/dnsapi

Issuing a Certificate

Issue an RSA certificate and install to a custom location

~/.acme.sh/acme.sh --issue --dns dns_cloudns -d example.com -d www.example.com --keylength 4096 --key-file /etc/letsencrypt/rsa-certs/example.com/privkey.pem --ca-file /etc/letsencrypt/rsa-certs/example.com/chain.pem --cert-file /etc/letsencrypt/rsa-certs/example.com/cert.pem --fullchain-file /etc/letsencrypt/rsa-certs/example.com/fullchain.pem --pre-hook "mkdir -p /etc/letsencrypt/rsa-certs/example.com" --post-hook "find /etc/letsencrypt/rsa-certs/example.com/ -name '*.pem' -type f -exec chmod 600 {} \;" --renew-hook "find /etc/letsencrypt/rsa-certs/example.com/ -name '*.pem' -type f -exec chmod 600 {} \; -exec service nginx reload \;"

and issue an ECC certificate

~/.acme.sh/acme.sh --issue --dns dns_cloudns -d example.com -d www.example.com --keylength ec-384 --key-file /etc/letsencrypt/ecc-certs/example.com/privkey.pem --ca-file /etc/letsencrypt/ecc-certs/example.com/chain.pem --cert-file /etc/letsencrypt/ecc-certs/example.com/cert.pem --fullchain-file /etc/letsencrypt/ecc-certs/example.com/fullchain.pem --pre-hook "mkdir -p /etc/letsencrypt/ecc-certs/example.com" --post-hook "find /etc/letsencrypt/ecc-certs/example.com/ -name '*.pem' -type f -exec chmod 600 {} \;" --renew-hook "find /etc/letsencrypt/ecc-certs/example.com/ -name '*.pem' -type f -exec chmod 600 {} \; -exec service nginx reload \;"

The above commands also take of creating the custom directory, setting the permissions, and reloading Nginx