ACME stands for Automatic Certificate Management Environment and provides an easy-to-use method of automating interactions between a certificate authority (like Let’s Encrypt, or ZeroSSL) and a web server. With ZeroSSL’s ACME feature, you can generate an unlimited amount of 90-day SSL certificates (even multi-domain and wildcards certificates) without any charges.
Create ZeroSSL accout
Visit ZeroSSL official site to register an account. All certificates issued with ACME will be stored in your ZeroSSL account dashboard for easy managements (after
acme.sh is an ACME protocal client written purely in Shell. It works on any Linux server without special requirements.
Update your Linux repo with latest CA bundle and patches from System Update else some issues will occur when generating your free SSL. Once completed then begin the below procedure.
Now install it from https://get.acme.sh:
curl https://get.acme.sh | sh -s email=<email@example.com>
That’s it. For advanced installation, visit [https://github.com/acmesh-official/acme.sh/wiki/How-to-install] for details.
Then, you can register your ZeroSSL account with
acme.sh --register-account -m <firstname.lastname@example.org> --server zerossl
It’s strongly recommended to enable the auto upgrade acme.sh by:
acme.sh --upgrade --auto-upgrade
Then acme.sh will be kept to latest release automatically.
Stop auto upgrade by
acme.sh --upgrade --auto-upgrade 0.
Config DNS API
Just use Cloudfare as an example, other DNS providers’ congituration can be found at https://github.com/acmesh-official/acme.sh/wiki/dnsapi.
First you need to login to your Cloudflare account to get your API key. You can narrow the Cloudflare’s API token that only for write access to Zone.DNS for a single domain, then update variables in your environment by running following commands in shell (these variables will be saved by acme.sh):
Issue a wildcard cert:
Okay, after these configurations we can now issue certs now:
acme.sh --issue --dns dns_cf -d example.com -d *.example.com
CF_Zone_ID will be saved in
~/.acme.sh/account.conf and will be reused when needed.
All issued certificates will be stored in
That’s it, for more official supports please refer to https://zerossl.com/documentation/acme/.
Install the certs
After the cert is generated, files are stored in
~/.acme.sh/<example.com>/, but it’s NOT recommended to use the certs file in the
~/.acme.sh/ folder, the folder structure may change in the future.
You’d better copy the certs to the target location, or you can use following commands to copy the certs:
acme.sh --install-cert -d example.com \
--key-file /path/to/keyfile/in/nginx/key.pem \
--fullchain-file /path/to/fullchain/nginx/cert.pem \
--reloadcmd "sudo service nginx force-reload"
acme.sh --install-cert -d example.com \
--cert-file /path/to/certfile/in/apache/cert.pem \
--key-file /path/to/keyfile/in/apache/key.pem \
--fullchain-file /path/to/fullchain/certfile/apache/fullchain.pem \
--reloadcmd "sudo service apache2 force-reload"
The ownership and permission info of existing files are preserved. You can pre-create the files to define the ownership and permissions.
The cert will be renewed every 60 days by default. Once the cert is renewed, the Apache/Nginx service will be reloaded automatically by the
Please take care: The reloadcmd is very important. The cert can be automatically renewed, but, without a correct ‘reloadcmd’ the cert may not be flushed to your server(like nginx or apache), then your website will not be able to show renewed cert in 60 days.
Renew the certs
Indeed, you don’t need to renew the certs manually, all the certs will be renewed automatically every 60 days.
However, you can also force to renew a cert by:
acme.sh --renew -d example.com --force
Stop cert renewal
To stop automatically renewal of a cert, you can execute the following to remove the cert from the renewal list:
acme.sh --remove -d example.com
The cert or key files are not removed from the local file system, you can remove these files or respective directory (e.g.
~/.acme.sh/example.com) by yourself.