ACME
An ACME protocol client written purely in Shell (Unix shell) language
Installation
curl https://get.acme.sh | sh -s email=my@example.com
DNS challenge
# generate challenge (.key, .cer, etc)
.acme.sh/acme.sh --issue --dns -d sub.domain.tld --keylength 4096 --yes-I-know-dns-manual-mode-enough-go-ahead-please
# return a DNS TXT record like:
# Domain: '_acme-challenge.sub.domain.tld'
# TXT value: 'xxx'
# Once added on the DNS, you can run `--renew`
# generate (.key, .cer, etc)
.acme.sh/acme.sh --renew --dns -d sub.domain.tld --keylength 4096 --yes-I-know-dns-manual-mode-enough-go-ahead-please
Notes:
- certificate is valid 90 days, no more
- to correctly renew certificate with no too much dependency on DNS record node, its better to:
- run
acme --issue
on responsible node (i.e. the one asking a certificate renew) - the responsible node update DNS record through a client DynamicDNS by adding the TXT record
- the responsible node can the generate himself the new certificate(s)
- run
- if you want to choose another CA, such as letsencrypt you can do
--server letsencrypt
, however the default one, ZeroSSL seems better, see comparison