Free ZeroSSL wildcard SSL certificates with acme.sh DNS API

Free ZeroSSL wildcard SSL certificates with acme.sh DNS API

wildcard SSL for free

Tools

2021.10.14

0 #ssl #wildcard #zerossl

ACME stands for Automatic Certificate Management Environment and provides an easy-to-use method of automating interactions between a certificate authority (like Let’s Encrypt, or ZeroSSL) and a web server. With ZeroSSL’s ACME feature, you can generate an unlimited amount of 90-day SSL certificates (even multi-domain and wildcards certificates) without any charges.

Create ZeroSSL accout

Visit ZeroSSL official site to register an account. All certificates issued with ACME will be stored in your ZeroSSL account dashboard for easy managements (after acme.sh register).

Install acme.sh

acme.sh is an ACME protocal client written purely in Shell. It works on any Linux server without special requirements.

Update your Linux repo with latest CA bundle and patches from System Update else some issues will occur when generating your free SSL. Once completed then begin the below procedure.

Now install it from https://get.acme.sh:

curl https://get.acme.sh | sh -s email=<email@exmaple.com>

That’s it. For advanced installation, visit [https://github.com/acmesh-official/acme.sh/wiki/How-to-install] for details.

Then, you can register your ZeroSSL account with acme.sh:

acme.sh --register-account -m <email@example.com> --server zerossl

It’s strongly recommended to enable the auto upgrade acme.sh by:

acme.sh --upgrade --auto-upgrade

Then acme.sh will be kept to latest release automatically.

Stop auto upgrade by acme.sh --upgrade --auto-upgrade 0.

Config DNS API

Just use Cloudfare as an example, other DNS providers’ congituration can be found at https://github.com/acmesh-official/acme.sh/wiki/dnsapi.

First you need to login to your Cloudflare account to get your API key. You can narrow the Cloudflare’s API token that only for write access to Zone.DNS for a single domain, then update variables in your environment by running following commands in shell (these variables will be saved by acme.sh):

export CF_Token="xxxxxxxxxxxxxxxxxxxxxxxxxx"
export CF_Account_ID="xxxxxxxxxxxxx"
export CF_Zone_ID="xxxxxxxxxxxxx"

Issue a wildcard cert:

Okay, after these configurations we can now issue certs now:

acme.sh --issue --dns dns_cf -d example.com -d *.example.com

The CF_Token, CF_Account_ID and CF_Zone_ID will be saved in ~/.acme.sh/account.conf and will be reused when needed.

All issued certificates will be stored in ~/.acme.sh/<example.com>/.

That’s it, for more official supports please refer to https://zerossl.com/documentation/acme/.

Install the certs

After the cert is generated, files are stored in ~/.acme.sh/<example.com>/, but it’s NOT recommended to use the certs file in the ~/.acme.sh/ folder, the folder structure may change in the future.

You’d better copy the certs to the target location, or you can use following commands to copy the certs:

Nginx example:

acme.sh --install-cert -d example.com \
--key-file       /path/to/keyfile/in/nginx/key.pem  \
--fullchain-file /path/to/fullchain/nginx/cert.pem \
--reloadcmd     "sudo service nginx force-reload"

Apache example:

acme.sh --install-cert -d example.com \
--cert-file      /path/to/certfile/in/apache/cert.pem  \
--key-file       /path/to/keyfile/in/apache/key.pem  \
--fullchain-file /path/to/fullchain/certfile/apache/fullchain.pem \
--reloadcmd     "sudo service apache2 force-reload"

The ownership and permission info of existing files are preserved. You can pre-create the files to define the ownership and permissions.

The cert will be renewed every 60 days by default. Once the cert is renewed, the Apache/Nginx service will be reloaded automatically by the --reloadcmd command.

Please take care: The reloadcmd is very important. The cert can be automatically renewed, but, without a correct ‘reloadcmd’ the cert may not be flushed to your server(like nginx or apache), then your website will not be able to show renewed cert in 60 days.

Renew the certs

Indeed, you don’t need to renew the certs manually, all the certs will be renewed automatically every 60 days.

However, you can also force to renew a cert by:

acme.sh --renew -d example.com --force

Stop cert renewal

To stop automatically renewal of a cert, you can execute the following to remove the cert from the renewal list:

acme.sh --remove -d example.com

The cert or key files are not removed from the local file system, you can remove these files or respective directory (e.g. ~/.acme.sh/example.com) by yourself.

Ads by Google

林宏

Frank Lin

Hey, there! This is Frank Lin (@flinhong), one of the 1.41 billion . This 'inDev. Journal' site holds the exploration of my quirky thoughts and random adventures through life. Hope you enjoy reading and perusing my posts.

YOU MAY ALSO LIKE

Setup an IKEv2 server with StrongSwan

Tutorials

2020.01.09

Setup an IKEv2 server with StrongSwan

IKEv2, or Internet Key Exchange v2, is a protocol that allows for direct IPSec tunnelling between two points. In IKEv2 implementations, IPSec provides encryption for the network traffic. IKEv2 is natively supported on some platforms (OS X 10.11+, iOS 9.1+, and Windows 10) with no additional applications necessary, and it handles client hiccups quite smoothly.

Hands on IBM Cloud Functions with CLI

Tools

2020.10.20

Hands on IBM Cloud Functions with CLI

IBM Cloud CLI allows complete management of the Cloud Functions system. You can use the Cloud Functions CLI plugin-in to manage your code snippets in actions, create triggers, and rules to enable your actions to respond to events, and bundle actions into packages.

TOC