ACME

    An ACME protocol client written purely in Shell (Unix shell) language

    Installation

    curl https://get.acme.sh | sh -s email=my@example.com
    

    DNS challenge

    # generate challenge (.key, .cer, etc)
    .acme.sh/acme.sh --issue --dns -d sub.domain.tld --keylength 4096 --yes-I-know-dns-manual-mode-enough-go-ahead-please
    # return a DNS TXT record like: 
    # Domain: '_acme-challenge.sub.domain.tld'
    # TXT value: 'xxx'
    # Once added on the DNS, you can run `--renew`
    
    # generate (.key, .cer, etc)
    .acme.sh/acme.sh --renew --dns -d sub.domain.tld --keylength 4096 --yes-I-know-dns-manual-mode-enough-go-ahead-please
    

    Notes:

    • certificate is valid 90 days, no more
    • to correctly renew certificate with no too much dependency on DNS record node, its better to:
      1. run acme --issue on responsible node (i.e. the one asking a certificate renew)
      2. the responsible node update DNS record through a client DynamicDNS by adding the TXT record
      3. the responsible node can the generate himself the new certificate(s)
    • if you want to choose another CA, such as letsencrypt you can do --server letsencrypt, however the default one, ZeroSSL seems better, see comparison