2025 latest overseas Chinese free movie website, continuously updating free movies and TV series, no ads, no membership, no lag
SQLSTATE[22007]: Invalid datetime format: 1366 Incorrect string value: '\xAC15\xE9\x9B\x86...' Solution
2025 CloudFlare How to configure preferred IP Free CDN to accelerate your website, monthly preferred IP sharing
Free Office full version download - Use Microsoft Office software forever

acme.sh Free application for TSL/SSL domain name certificate

acme.sh Free SSL certificate application, automatic renewal configuration acme.sh script, Let's Encrypt application for domain name certificates is very simple, automated and free. acme.sh implements the acme protocol and can generate free certificates from let's encrypt.

acme.sh Free SSL/TSL domain name certificate

Use acme.sh script to apply for free TSL /SSL domain name certificate on Linux server

Apply for free, automatic renewal configuration acme.sh script,Very usefulApplication script, easy installation, supportMethod application and HTTP method application,Applying for a domain name certificate is simple, automated and free. acme.sh implements the ACME protocol and can generate free certificates from Let's Encrypt.

Introduction to let's encrypt and acme.sh

What is Let's Encrypt

Let's Encrypt is a digital certificate authority launched in the third quarter of 2015. It aims to eliminate the complex process of manually creating and installing certificates through automated processes and promote the use of the World Wide Web.Encrypted connections are everywhere, providing free SSL//Certificate.
Let's Encrypt is provided by the Internet Security Research Group (ISRG). Major sponsors include the Electronic Frontier Foundation, Mozilla Foundation, Akamai and Cisco. On April 9, 2015, ISRG and the Linux Foundation announced a partnership.
The protocol used to implement the new digital certificate authority is called Automatic Certificate Management Environment (ACME).A draft of this specification is available on , and a version of the proposal has been published as aDraft released.
The process of applying for a domain name certificate with Let's Encrypt is simple, automated, and free.

acme.sh Free SSL/TSL domain name certificate

What is acme.sh

In simple terms acme.sh The ACME protocol is implemented, and free certificates can be generated from Let's Encrypt.
acme.sh It has the following features:

  • An ACME protocol client written purely in Shell (Unix shell) language.
  • A complete ACME protocol implementation.
  • Support ECDSA certificates
  • Support for SAN and wildcard certificates
  • Simple, powerful and very easy to use. You only need 3 minutes to learn it.
  • Bash, dash, and sh compatible.
  • Written purely in Shell, not dependent on .
  • Automate the issuance, renewal, and installation of certificates with just one script.
  • No access rights required. root/sudoer
  • Docker Ready
  • IPv6 Ready
  • For renewal or error etc. Assignment notifications.

Github project homepage:https://github.com/acmesh-official/acme.sh

How to install acme.sh

A pure Unix shell script implementing the ACME client protocol.

Install the acme.sh script

Installation is very simple, one command:

my@example.comReplace with your email address.

curl https://get.acme.sh | sh -s email=my@example.com

Download the script to the server and install it:

wget -O - https://get.acme.sh | sh -s email=my@example.com

Alternatively, to install from git, clone this project and start the installation:

git clone https://github.com/acmesh-official/acme.sh.git cd ./acme.sh ./acme.sh --install -m my@example.com

The installer will perform 3 actions:

  • Create and copy to your home directory (): acme.sh$HOME~/.acme.sh/ All certificates will also be placed in this folder.
  • Create an alias for the following: acme.sh=~/.acme.sh/acme.sh
  • Create a daily cron job to check and renew the certificates as needed.

Configure the acme.sh script

Both ordinary users and root users can install and use acme.sh.
The installation process proceeds in the following steps:
Install acme.sh to your home directory: ~/.acme.sh/ and create a bash alias for your convenience:

alias acme.sh=~/.acme.sh/acme.sh echo 'alias acme.sh=~/.acme.sh/acme.sh' >>/etc/profile

During the installation process, a cronjob will be automatically created for you to automatically check all certificates at 0:00 every day. If they are about to expire and need to be renewed, the certificates will be automatically renewed.

00 00 * * * root /root/.acme.sh/acme.sh --cron --home /root/.acme.sh &>/var/log/acme.sh.logs

For more advanced installation options, see: https://github.com/Neilpang/acme.sh/wiki/How-to-install
The installation process of this script will not pollute any existing system functions and files. All modifications are limited to the installation directory: ~/.acme.sh/

Apply for a certificate using acme.sh

acme.sh implements all authentication protocols supported by the acme protocol. There are generally two ways of authentication: http and dns authentication.

HTTP method

The http method requires placing a file in the root directory of your website to verify your domain name ownership and complete the verification. Then you can generate a certificate.

Let’s take the domain name boxpu.com as an example:

acme.sh --issue -d boxpu.com -d *.boxpu.com --webroot /www/wwwroot/boxpu.com/

You only need to specify the domain name and the root directory of the website where the domain name is located. acme.sh will automatically generate a verification file and put it in the root directory of the website, and then automatically complete the verification. Finally, it will intelligently delete the verification file, and the whole process has no side effects.
If you use Server, acme.sh can also intelligently complete the verification automatically from the Apache configuration, you do not need to specify the website root directory:

acme.sh --issue -d boxpu.com --boxpu.com

If you use Server, or anti-generation, acme.sh You can also intelligently complete the verification automatically from the nginx configuration, you don't need to specify the website root directory:

acme.sh --issue -d boxpu.com --nginx

Note: Regardless of Apache or Nginx mode, acme.sh will restore to its previous state after completing the verification and will not change your configuration without permission. The advantage is that you don't have to worry about the configuration being damaged.
This type of configuration has a disadvantage. You need to configure the SSL configuration yourself. Otherwise, you can only successfully generate the certificate, and your website still cannot access https. However, for safety reasons, you should change the configuration manually.
If you have not yet run any web service and port 80 is free, acme.sh can also pretend to be a webserver and temporarily listen on port 80 to complete the verification:

acme.sh --issue -d boxpu.com --standalone

For more advanced usage, please refer to: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert

DNS method

The advantage of this method is that you don't need any server or public IP address, you only need DNS resolution records to complete the verification.
The disadvantage of this method is that if the Automatic DNS API is not configured at the same time, acme.sh will not be able to automatically renew the certificate using this method, and you will need to manually re-parse and verify the domain name ownership each time.

Apply for a certificate using DNS

cd /root/.acme.sh acme.sh --issue -d *.boxpu.com -d boxpu.com --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please

Modify DNS and modify the host record on the NS management side.

Generate a certificate using DNS

Get a free wildcard domain name certificate from Let's Encrypt. After the DNS resolution takes effect, run the following command to regenerate the certificate:

acme.sh --renew -d *.boxpu.com -d boxpu.com --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please

Note that the second time it is used --renew

dns method API

The real power of the DNS method is that you can useThe API provided by the provider automatically adds txt records to complete the verification.
acme.sh currently supports 、dnspod、cloudxns、 And automatic integration of dozens of parsers such as ovh.
Taking dnspod as an example, you need to log in to your dnspod account first and generate your api id and api key, both of which are free.

export DP_Id="xxxxxxxxxxx" export DP_Key="xxxxxxxxxxxxxx" acme.sh --issue --dns dns_dp -d boxpu.com -d boxpu.com

The certificate willThe API ID and API key given here will be automatically recorded. You don't need to specify them again when you use the dnspod API in the future. Just generate them directly:

acme.sh --issue -d boxpu.com --dns dns_dp

More detailed API usage: https://github.com/Neilpang/acme.sh/blob/master/dnsapi/README.md

Use of TLS/SSL certificates

TLS/SSL Certificate Installation

After the certificate is generated, you need to copy it to where you really need it.

Note that the default generated certificates are placed in the installation directory: ~/.acme.sh/. Please do not use the files in this directory directly.
For example: Do not use the following file directly in the nginx/apache configuration file.
The files here are for internal use only, and the directory structure may change. The correct way to use it is to use the --installcert command and specify the target location, and then the certificate files will be copied to the corresponding location, for example:

acme.sh --installcert -d boxpu.com \ --key-file /etc/nginx/ssl/uzbox.key \ --fullchain-file /etc/nginx/ssl/fullchain.cer \ --reloadcmd "systemctl force-reload nginx"

Install SSL Certificate on Nginx Server

For example, taking the Nginx standard configuration as an example, the generated certificate file is recommended to use fullchain.cer, and the private key file is boxpu.com.key.

Nginx's ssl_certificate configuration uses fullchain.cer instead of .cer , otherwise the SSL Labs test will report a Chain issues Incomplete error.
The certificate path generated above is /www/server/panel/vhost/cert/boxpu.com/;
Modify Nginx configuration file

server { listen 443; server_name boxpu.com; ssl on; root html; index index.html index.htm; ssl_certificate /www/server/panel/vhost/cert/boxpu.com/fullchain.cer; ssl_certificate_key /www/server/panel/vhost/cert/boxpu.com/clsn.key; ssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; location / { root html; index index.html index.htm; } }

Restart nginx and load the new configuration

systemctl force-reload nginx

Note: systemctl force-reload nginx is used here, not systemctl reload nginx. Reload does not reload the certificate, so force-reload is used.

Renewing Certificates

Certificate renewal

The current certificate is valid for 90 days and will be issued after 60 days.Automatic renewal, you don’t need to do anything. Everything is automatic, you don’t have to worry about the certificate expiration.

acme.sh Updates

Currently, since the acme protocol and letsencrypt CA are frequently updated, acme.sh is also frequently updated to keep in sync.
Upgrade acme.sh to the latest version:

acme.sh --upgrade
If you don't want to update manually, you can enable automatic update:
acme.sh --upgrade --auto-upgrade
After this, acme.sh will automatically stay up to date. You can also turn off automatic updates at any time:
acme.sh --upgrade --auto-upgrade 0
References
score

Leave a Reply

Your email address will not be published. Required fields are marked *