In a previous tutorial, we described how to obtain a free SSL/TLS certificate from Let's Encrypt by using Certbot.
In this tutorial, we would like to show you another way that you can easily obtain and renew a free SSL/TLS certificate from Let's Encrypt by using the acme.sh script on Ubuntu 20.04.
If you do not yet have a working NGINX web server, here is an easy NGINX installation guide that you can follow.
The acme.sh shell script automates the issuance and renewal of free certificates from Let's Encrypt. You can get the acme.sh script either by downloading it directly from the web or by cloning its git project.
Download acme.sh from the web
Run any of the two commands below to download and execute the acme.sh script.
$ curl https://get.acme.sh | sh
$ wget -O - https://get.acme.sh | sh
Below is an example of what you can expect when the script executes.
$ wget -O - https://get.acme.sh | sh --2021-02-16 11:55:47-- https://get.acme.sh/ Resolving get.acme.sh (get.acme.sh)… 2606:4700:3032::6815:223e, 2606:4700:3031::ac43:c710, 188.8.131.52, … Connecting to get.acme.sh (get.acme.sh)|2606:4700:3032::6815:223e|:443… connected. HTTP request sent, awaiting response… 200 OK Length: unspecified [text/html] Saving to: ‘STDOUT’ [ <=> ] 937 --.-KB/s in 0s 2021-02-16 11:55:47 (11.8 MB/s) - written to stdout  % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 204k 100 204k 0 0 3350k 0 --:--:-- --:--:-- --:--:-- 3350k [Tue 16 Feb 2021 11:55:47 AM UTC] Installing from online archive. [Tue 16 Feb 2021 11:55:47 AM UTC] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz [Tue 16 Feb 2021 11:55:47 AM UTC] Extracting master.tar.gz [Tue 16 Feb 2021 11:55:47 AM UTC] It is recommended to install socat first. [Tue 16 Feb 2021 11:55:47 AM UTC] We use socat for standalone server if you use standalone mode. [Tue 16 Feb 2021 11:55:47 AM UTC] If you don't use standalone mode, just ignore this warning. [Tue 16 Feb 2021 11:55:47 AM UTC] Installing to /home/shola/.acme.sh [Tue 16 Feb 2021 11:55:47 AM UTC] Installed to /home/shola/.acme.sh/acme.sh [Tue 16 Feb 2021 12:05:54 PM UTC] Installing alias to '/home/shola/.bashrc' [Tue 16 Feb 2021 12:05:54 PM UTC] OK, Close and reopen your terminal to start using acme.sh [Tue 16 Feb 2021 11:55:47 AM UTC] Installing cron job 47 0 * * * "/home/shola/.acme.sh"/acme.sh --cron --home "/home/shola/.acme.sh" > /dev/null [Tue 16 Feb 2021 11:55:47 AM UTC] Good, bash is found, so change the shebang to use bash as preferred. [Tue 16 Feb 2021 11:55:48 AM UTC] OK [Tue 16 Feb 2021 11:55:48 AM UTC] Install success!
Clone acme.sh git project
Alternatively, run the commands below one per line, to clone the acme.sh git project and execute the script.
$ git clone https://github.com/acmesh-official/acme.sh.git $ cd acme.sh $ ./acme.sh --install
Whichever method you choose to use, once you see the "Install success!" message, you may close the terminal window and open it again to validate the installation.
To see acme.sh usage information, run the next command.
$ acme.sh -h
You may also run the command below to check the acme.sh version.
$ acme.sh --version
Generate a Certificate
To generate a single certificate for a single domain, run the command below.
Replace yourdomain.com with your registered domain. Also, replace /var/www/yourdomain.com with your domain's website root folder as appropriate.
$ acme.sh --issue -d yourdomain.com -w /var/www/yourdomain.com
For multiple domains/sub-domains that share the same website root folder, you can run the next command to issue a certificate.
$ acme.sh --issue -d yourdomain.com -d www.yourdomain.com -d subdomain.yourdomain.com -w /var/www/yourdomain.com
The generated certificates will be stored in ~/.acme.sh/yourdomain.com
Install Certificate on NGINX using acme
After generating the certificate through the acme.sh script, the next step is to install it on NGINX. First, create a folder where the generated certificate will be copied to.
$ sudo mkdir -p /etc/nginx/certs/yourdomain.com
Run the next command to install the certificate. Do not forget to replace yourdomain.com with your registered domain.
$ acme.sh --install-cert -d yourdomain.com --key-file /etc/nginx/certs/yourdomain.com/key.pem --fullchain-file /etc/nginx/certs/yourdomain.com/cert.pem --reloadcmd "service nginx force-reload"
Update NGINX Server Block File
The final step is to update the server block file for your domain to include the SSL related directives.
Run the command below to edit the server block file.
$ sudo nano /etc/nginx/sites-available/yourdomain.com
Next, add the following lines.
listen [::]:443 ssl ipv6only=on;
listen 443 ssl;
After the additions, your server block file should look like what you see in the image below. The new additions are highlighted in red. Also, notice that the listen directives for port 80 have been commented out.
Save changes and close the file.
Restart NGINX with:
$ sudo systemctl restart nginx
Visit your website in a browser to confirm that secure communication is now enabled.
The certificates issued by Let's Encrypt will automatically renew every 60 days.
But you could also manually renew the certificate if you would like to. Run the command below.
$ acme.sh --renew -d yourdomain.com --force
To stop certificate renewal, run the following.
$ acme.sh --remove -d yourdomain.com
It is recommended to always use the latest version of acme.sh. Run the command below to ensure that acme.sh is updated automatically.
$ acme.sh --upgrade --auto-upgrade
To disable automatic upgrade for acme.sh, run the next command.
$ acme.sh --upgrade --auto-upgrade 0
If you would not like acme.sh to be automatically upgraded, then use the command below to manually update it.
$ acme.sh --upgrade
In this guide, we described the steps to obtain and renew free SSL/TLS certificates from Let's Encrypt by using the acme.sh shell script on Ubuntu. This method is an alternative to using the Certbot tool. We would like to hear about your experience using these tools.