+
+
+
+
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+
+ 
+ 
+ 
+
-[](https://gitter.im/acme-sh/Lobby?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
-[](https://hub.docker.com/r/neilpang/acme.sh "Click to view the image on Docker Hub")
-[](https://hub.docker.com/r/neilpang/acme.sh "Click to view the image on Docker Hub")
+
+
+ 
+ 
+ 
+
+ ๐ Wiki โข + ๐ณ Docker Guide โข + ๐ฆ Twitter +
-Twitter: [@neilpangxa](https://twitter.com/neilpangxa) +--- +## ๐ [ไธญๆ่ฏดๆ](https://github.com/acmesh-official/acme.sh/wiki/%E8%AF%B4%E6%98%8E) -# [ไธญๆ่ฏดๆ](https://github.com/acmesh-official/acme.sh/wiki/%E8%AF%B4%E6%98%8E) +--- -# Who: +## ๐ Who Uses acme.sh? - [FreeBSD.org](https://blog.crashed.org/letsencrypt-in-freebsd-org/) - [ruby-china.org](https://ruby-china.org/topics/31983) - [Proxmox](https://pve.proxmox.com/wiki/Certificate_Management) @@ -62,7 +78,9 @@ Twitter: [@neilpangxa](https://twitter.com/neilpangxa) - [lnmp.org](https://lnmp.org/) - [more...](https://github.com/acmesh-official/acme.sh/wiki/Blogs-and-tutorials) -# Tested OS +--- + +## ๐ฅ๏ธ Tested OS | NO | Status| Platform| |----|-------|---------| @@ -91,50 +109,60 @@ Twitter: [@neilpangxa](https://twitter.com/neilpangxa) |24|[](https://github.com/acmesh-official/letest#here-are-the-latest-status)| Proxmox: See Proxmox VE Wiki. Version [4.x, 5.0, 5.1](https://pve.proxmox.com/wiki/HTTPS_Certificate_Configuration_(Version_4.x,_5.0_and_5.1)#Let.27s_Encrypt_using_acme.sh), version [5.2 and up](https://pve.proxmox.com/wiki/Certificate_Management) -Check our [testing project](https://github.com/acmesh-official/acmetest): +> ๐งช Check our [testing project](https://github.com/acmesh-official/acmetest) +> +> ๐ฅ๏ธ The testing VMs are supported by [vmactions.org](https://vmactions.org) -https://github.com/acmesh-official/acmetest +--- -# Supported CA +## ๐๏ธ Supported CA -- [ZeroSSL.com CA](https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA)(default) -- Letsencrypt.org CA -- [SSL.com CA](https://github.com/acmesh-official/acme.sh/wiki/SSL.com-CA) -- [Google.com Public CA](https://github.com/acmesh-official/acme.sh/wiki/Google-Public-CA) -- [Actalis.com CA](https://github.com/acmesh-official/acme.sh/wiki/Actalis.com-CA) -- [Pebble strict Mode](https://github.com/letsencrypt/pebble) -- Any other [RFC8555](https://tools.ietf.org/html/rfc8555)-compliant CA +| CA | Status | +|---|---| +| [ZeroSSL.com CA](https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA) | โญ **Default** | +| Letsencrypt.org CA | โ Supported | +| [SSL.com CA](https://github.com/acmesh-official/acme.sh/wiki/SSL.com-CA) | โ Supported | +| [Google.com Public CA](https://github.com/acmesh-official/acme.sh/wiki/Google-Public-CA) | โ Supported | +| [Actalis.com CA](https://github.com/acmesh-official/acme.sh/wiki/Actalis.com-CA) | โ Supported | +| [Pebble strict Mode](https://github.com/letsencrypt/pebble) | โ Supported | +| Any [RFC8555](https://tools.ietf.org/html/rfc8555)-compliant CA | โ Supported | -# Supported modes +--- -- Webroot mode -- Standalone mode -- Standalone tls-alpn mode -- Apache mode -- Nginx mode -- DNS mode -- [DNS alias mode](https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode) -- [Stateless mode](https://github.com/acmesh-official/acme.sh/wiki/Stateless-Mode) +## โ๏ธ Supported Modes +| Mode | Description | +|------|-------------| +| ๐ Webroot mode | Use existing webroot directory | +| ๐ฅ๏ธ Standalone mode | Built-in webserver on port 80 | +| ๐ Standalone tls-alpn mode | Built-in webserver on port 443 | +| ๐ชถ Apache mode | Use Apache for verification | +| โก Nginx mode | Use Nginx for verification | +| ๐ DNS mode | Use DNS TXT records | +| ๐ [DNS alias mode](https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode) | Use DNS alias for verification | +| ๐ก [Stateless mode](https://github.com/acmesh-official/acme.sh/wiki/Stateless-Mode) | Stateless verification | -# 1. How to install +--- -### 1. Install online +## ๐ Usage Guide -Check this project: https://github.com/acmesh-official/get.acme.sh +### 1๏ธโฃ How to Install + +#### ๐ฅ Install Online + +> Check this project: https://github.com/acmesh-official/get.acme.sh ```bash curl https://get.acme.sh | sh -s email=my@example.com ``` -Or: +**Or:** ```bash wget -O - https://get.acme.sh | sh -s email=my@example.com ``` - -### 2. Or, Install from git +#### ๐ฆ Install from Git Clone this project and launch installation: @@ -144,11 +172,11 @@ cd ./acme.sh ./acme.sh --install -m my@example.com ``` -You `don't have to be root` then, although `it is recommended`. +> ๐ก You `don't have to be root` then, although `it is recommended`. -Advanced Installation: https://github.com/acmesh-official/acme.sh/wiki/How-to-install +๐ **Advanced Installation:** https://github.com/acmesh-official/acme.sh/wiki/How-to-install -The installer will perform 3 actions: +**The installer will perform 3 actions:** 1. Create and copy `acme.sh` to your home dir (`$HOME`): `~/.acme.sh/`. All certs will be placed in this folder too. @@ -161,17 +189,19 @@ Cron entry example: 0 0 * * * "/home/user/.acme.sh"/acme.sh --cron --home "/home/user/.acme.sh" > /dev/null ``` -After the installation, you must close the current terminal and reopen it to make the alias take effect. +> โ ๏ธ After the installation, you must close the current terminal and reopen it to make the alias take effect. -Ok, you are ready to issue certs now. +โ **You are ready to issue certs now!** -Show help message: +**Show help message:** ```sh -root@v1:~# acme.sh -h +acme.sh -h ``` -# 2. Just issue a cert +--- + +### 2๏ธโฃ Issue a Certificate **Example 1:** Single domain. @@ -206,19 +236,21 @@ You must point and bind all the domains to the same webroot dir: `/home/wwwroot/ The certs will be placed in `~/.acme.sh/example.com/` -The certs will be renewed automatically every **60** days. +> ๐ The certs will be renewed automatically every **30** days. -The certs will default to ECC certificates. +> ๐ The certs will default to **ECC** certificates. -More examples: https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert +๐ **More examples:** https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert +--- -# 3. Install the cert to Apache/Nginx etc. +### 3๏ธโฃ Install the Certificate to Apache/Nginx After the cert is generated, you probably want to install/copy the cert to your Apache/Nginx or other servers. -You **MUST** use this command to copy the certs to the target files, **DO NOT** use the certs files in **~/.acme.sh/** folder, they are for internal use only, the folder structure may change in the future. -**Apache** example: +> โ ๏ธ **IMPORTANT:** You **MUST** use this command to copy the certs to the target files. **DO NOT** use the certs files in `~/.acme.sh/` folder โ they are for internal use only, the folder structure may change in the future. + +#### ๐ชถ Apache Example: ```bash acme.sh --install-cert -d example.com \ --cert-file /path/to/certfile/in/apache/cert.pem \ @@ -227,7 +259,7 @@ acme.sh --install-cert -d example.com \ --reloadcmd "service apache2 force-reload" ``` -**Nginx** example: +#### โก Nginx Example: ```bash acme.sh --install-cert -d example.com \ --key-file /path/to/keyfile/in/nginx/key.pem \ @@ -241,91 +273,89 @@ The ownership and permission info of existing files are preserved. You can pre-c Install/copy the cert/key to the production Apache or Nginx path. -The cert will be renewed every **60** days by default (which is configurable). Once the cert is renewed, the Apache/Nginx service will be reloaded automatically by the command: `service apache2 force-reload` or `service nginx force-reload`. +> ๐ The cert will be renewed every **30** days by default (configurable). Once renewed, the Apache/Nginx service will be reloaded automatically. +> โ ๏ธ **IMPORTANT:** The `reloadcmd` is very important. The cert can be automatically renewed, but without a correct `reloadcmd`, the cert may not be flushed to your server (like nginx or apache), then your website will not be able to show the renewed cert. -**Please take care: The reloadcmd is very important. The cert can be automatically renewed, but, without a correct 'reloadcmd' the cert may not be flushed to your server(like nginx or apache), then your website will not be able to show renewed cert in 60 days.** +--- -# 4. Use Standalone server to issue cert +### 4๏ธโฃ Use Standalone Server to Issue Certificate -**(requires you to be root/sudoer or have permission to listen on port 80 (TCP))** +> ๐ Requires root/sudoer or permission to listen on port **80** (TCP) -Port `80` (TCP) **MUST** be free to listen on, otherwise you will be prompted to free it and try again. +> โ ๏ธ Port `80` (TCP) **MUST** be free to listen on, otherwise you will be prompted to free it and try again. ```bash acme.sh --issue --standalone -d example.com -d www.example.com -d cp.example.com ``` -More examples: https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert +๐ **More examples:** https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert -# 5. Use Standalone ssl server to issue cert +--- -**(requires you to be root/sudoer or have permission to listen on port 443 (TCP))** +### 5๏ธโฃ Use Standalone TLS Server to Issue Certificate -Port `443` (TCP) **MUST** be free to listen on, otherwise you will be prompted to free it and try again. +> ๐ Requires root/sudoer or permission to listen on port **443** (TCP) + +> โ ๏ธ Port `443` (TCP) **MUST** be free to listen on, otherwise you will be prompted to free it and try again. ```bash acme.sh --issue --alpn -d example.com -d www.example.com -d cp.example.com ``` -More examples: https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert +๐ **More examples:** https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert +--- -# 6. Use Apache mode +### 6๏ธโฃ Use Apache Mode -**(requires you to be root/sudoer, since it is required to interact with Apache server)** +> ๐ Requires root/sudoer to interact with Apache server If you are running a web server, it is recommended to use the `Webroot mode`. Particularly, if you are running an Apache server, you can use Apache mode instead. This mode doesn't write any files to your web root folder. -Just set string "apache" as the second argument and it will force use of apache plugin automatically. - ```sh acme.sh --issue --apache -d example.com -d www.example.com -d cp.example.com ``` -**This apache mode is only to issue the cert, it will not change your apache config files. -You will need to configure your website config files to use the cert by yourself. -We don't want to mess with your apache server, don't worry.** +> ๐ก **Note:** This Apache mode is only to issue the cert, it will **not** change your Apache config files. You will need to configure your website config files to use the cert by yourself. We don't want to mess with your Apache server, don't worry! -More examples: https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert +๐ **More examples:** https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert -# 7. Use Nginx mode +--- -**(requires you to be root/sudoer, since it is required to interact with Nginx server)** +### 7๏ธโฃ Use Nginx Mode -If you are running a web server, it is recommended to use the `Webroot mode`. - -Particularly, if you are running an nginx server, you can use nginx mode instead. This mode doesn't write any files to your web root folder. +> ๐ Requires root/sudoer to interact with Nginx server -Just set string "nginx" as the second argument. +If you are running a web server, it is recommended to use the `Webroot mode`. -It will configure nginx server automatically to verify the domain and then restore the nginx config to the original version. +Particularly, if you are running an Nginx server, you can use Nginx mode instead. This mode doesn't write any files to your web root folder. -So, the config is not changed. +It will configure Nginx server automatically to verify the domain and then restore the Nginx config to the original version. So, the config is not changed. ```sh acme.sh --issue --nginx -d example.com -d www.example.com -d cp.example.com ``` -**This nginx mode is only to issue the cert, it will not change your nginx config files. -You will need to configure your website config files to use the cert by yourself. -We don't want to mess with your nginx server, don't worry.** +> ๐ก **Note:** This Nginx mode is only to issue the cert, it will **not** change your Nginx config files. You will need to configure your website config files to use the cert by yourself. We don't want to mess with your Nginx server, don't worry! -More examples: https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert +๐ **More examples:** https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert -# 8. Automatic DNS API integration +--- + +### 8๏ธโฃ Automatic DNS API Integration If your DNS provider supports API access, we can use that API to automatically issue the certs. -You don't have to do anything manually! +> โจ **You don't have to do anything manually!** -### Currently acme.sh supports most of the dns providers: +๐ **Currently acme.sh supports most DNS providers:** https://github.com/acmesh-official/acme.sh/wiki/dnsapi -https://github.com/acmesh-official/acme.sh/wiki/dnsapi +--- -# 9. Use DNS manual mode: +### 9๏ธโฃ Use DNS Manual Mode See: https://github.com/acmesh-official/acme.sh/wiki/dns-manual-mode first. @@ -355,67 +385,74 @@ Then just rerun with `renew` argument: acme.sh --renew -d example.com ``` -Ok, it's done. +โ **Done!** -**Take care, this is dns manual mode, it can not be renewed automatically. you will have to add a new txt record to your domain by your hand when you renew your cert.** +> โ ๏ธ **WARNING:** This is DNS manual mode โ it **cannot** be renewed automatically. You will have to add a new TXT record to your domain manually when you renew your cert. **Please use DNS API mode instead.** -**Please use dns api mode instead.** +--- -# 10. Issue certificates of different key types and lengths (ECC or RSA) +### ๐ Issue Certificates of Different Key Types (ECC or RSA) -Just set the `keylength` to a valid, supported, value. +Just set the `keylength` to a valid, supported value. -Valid values for the `keylength` parameter are: +**Valid values for the `keylength` parameter:** -1. **ec-256 (prime256v1, "ECDSA P-256", which is the default key type)** -2. **ec-384 (secp384r1, "ECDSA P-384")** -3. **ec-521 (secp521r1, "ECDSA P-521", which is not supported by Let's Encrypt yet.)** -4. **2048 (RSA2048)** -5. **3072 (RSA3072)** -6. **4096 (RSA4096)** +| Key Length | Description | +|------------|-------------| +| `ec-256` | prime256v1, "ECDSA P-256" โญ **Default** | +| `ec-384` | secp384r1, "ECDSA P-384" | +| `ec-521` | secp521r1, "ECDSA P-521" โ ๏ธ Not supported by Let's Encrypt yet | +| `2048` | RSA 2048-bit | +| `3072` | RSA 3072-bit | +| `4096` | RSA 4096-bit | -For example: +**Examples:** -### Single domain with ECDSA P-384 certificate +#### Single domain with ECDSA P-384 certificate ```bash acme.sh --issue -w /home/wwwroot/example.com -d example.com --keylength ec-384 ``` -### SAN multi domain with RSA4096 certificate +#### SAN multi domain with RSA4096 certificate ```bash acme.sh --issue -w /home/wwwroot/example.com -d example.com -d www.example.com --keylength 4096 ``` -# 11. Issue Wildcard certificates +--- + +### 1๏ธโฃ1๏ธโฃ Issue Wildcard Certificates -It's simple, just give a wildcard domain as the `-d` parameter. +It's simple! Just give a wildcard domain as the `-d` parameter: ```sh -acme.sh --issue -d example.com -d '*.example.com' --dns dns_cf +acme.sh --issue -d example.com -d '*.example.com' --dns dns_cf ``` -# 12. How to renew the certs +--- -No, you don't need to renew the certs manually. All the certs will be renewed automatically every **60** days. +### 1๏ธโฃ2๏ธโฃ How to Renew Certificates -However, you can also force to renew a cert: +> ๐ No need to renew manually! All certs will be renewed automatically every **30** days. + +However, you can force a renewal: ```sh acme.sh --renew -d example.com --force ``` -or, for ECC cert: +**For ECC cert:** ```sh acme.sh --renew -d example.com --force --ecc ``` +--- -# 13. How to stop cert renewal +### 1๏ธโฃ3๏ธโฃ How to Stop Certificate Renewal To stop renewal of a cert, you can execute the following to remove the cert from the renewal list: @@ -425,73 +462,78 @@ acme.sh --remove -d example.com [--ecc] The cert/key file is not removed from the disk. -You can remove the respective directory (e.g. `~/.acme.sh/example.com`) by yourself. +> ๐ก You can remove the respective directory (e.g. `~/.acme.sh/example.com`) manually. +--- -# 14. How to upgrade `acme.sh` +### 1๏ธโฃ4๏ธโฃ How to Upgrade acme.sh -acme.sh is in constant development, so it's strongly recommended to use the latest code. +> ๐ acme.sh is in constant development โ it's strongly recommended to use the latest code. -You can update acme.sh to the latest code: +**Update to latest:** ```sh acme.sh --upgrade ``` -You can also enable auto upgrade: +**Enable auto upgrade:** ```sh acme.sh --upgrade --auto-upgrade ``` -Then **acme.sh** will be kept up to date automatically. - -Disable auto upgrade: +**Disable auto upgrade:** ```sh acme.sh --upgrade --auto-upgrade 0 ``` +--- -# 15. Issue a cert from an existing CSR +### 1๏ธโฃ5๏ธโฃ Issue a Certificate from an Existing CSR -https://github.com/acmesh-official/acme.sh/wiki/Issue-a-cert-from-existing-CSR +๐ https://github.com/acmesh-official/acme.sh/wiki/Issue-a-cert-from-existing-CSR +--- -# 16. Send notifications in cronjob +### 1๏ธโฃ6๏ธโฃ Send Notifications in Cronjob -https://github.com/acmesh-official/acme.sh/wiki/notify +๐ https://github.com/acmesh-official/acme.sh/wiki/notify +--- -# 17. Under the Hood +### 1๏ธโฃ7๏ธโฃ Under the Hood -Speak ACME language using shell, directly to "Let's Encrypt". +> ๐ง Speak ACME language using shell, directly to "Let's Encrypt". -TODO: +--- +### 1๏ธโฃ8๏ธโฃ Acknowledgments -# 18. Acknowledgments +| Project | Link | +|---------|------| +| ๐ Acme-tiny | https://github.com/diafygi/acme-tiny | +| ๐ ACME protocol | https://github.com/ietf-wg-acme/acme | -1. Acme-tiny: https://github.com/diafygi/acme-tiny -2. ACME protocol: https://github.com/ietf-wg-acme/acme +--- +## ๐ฅ Contributors -## Contributors - -### Code Contributors +### ๐ป Code Contributors This project exists thanks to all the people who contribute. +
-### Financial Contributors
+### ๐ฐ Financial Contributors
Become a financial contributor and help us sustain our community. [[Contribute](https://opencollective.com/acmesh/contribute)]
-#### Individuals
+#### ๐ค Individuals
-#### Organizations
+#### ๐ข Organizations
Support this project with your organization. Your logo will show up here with a link to your website. [[Contribute](https://opencollective.com/acmesh/contribute)]
@@ -506,25 +548,31 @@ Support this project with your organization. Your logo will show up here with a
+---
+
+### 1๏ธโฃ9๏ธโฃ License & Others
+๐ **License:** GPLv3
-# 19. License & Others
+โญ Please **Star** and **Fork** this project!
-License is GPLv3
+๐ [Issues](https://github.com/acmesh-official/acme.sh/issues) and ๐ [Pull Requests](https://github.com/acmesh-official/acme.sh/pulls) are welcome.
-Please Star and Fork me.
+---
-[Issues](https://github.com/acmesh-official/acme.sh/issues) and [pull requests](https://github.com/acmesh-official/acme.sh/pulls) are welcome.
+### 2๏ธโฃ0๏ธโฃ Donate
+> ๐ Your donation makes **acme.sh** better!
-# 20. Donate
-Your donation makes **acme.sh** better:
+| Method | Link |
+|--------|------|
+| PayPal / Alipay(ๆฏไปๅฎ) / Wechat(ๅพฎไฟก) | [https://donate.acme.sh/](https://donate.acme.sh/) |
-1. PayPal/Alipay(ๆฏไปๅฎ)/Wechat(ๅพฎไฟก): [https://donate.acme.sh/](https://donate.acme.sh/)
+๐ [Donate List](https://github.com/acmesh-official/acme.sh/wiki/Donate-list)
-[Donate List](https://github.com/acmesh-official/acme.sh/wiki/Donate-list)
+---
-# 21. About this repository
+### 2๏ธโฃ1๏ธโฃ About This Repository
> [!NOTE]
> This repository is officially maintained by ZeroSSL as part of our commitment to providing secure and reliable SSL/TLS solutions. We welcome contributions and feedback from the community!
@@ -532,7 +580,7 @@ Your donation makes **acme.sh** better:
>
> All donations made through this repository go directly to the original independent maintainer (Neil Pang), not to ZeroSSL.
-
+