2016-04-15 10:50:40 +00:00
# An ACME Shell script: acme.sh
2016-04-16 15:10:46 +00:00
- An ACME protocol client written purely in Shell (Unix shell) language.
2016-04-15 10:50:40 +00:00
- Fully ACME protocol implementation.
- Simple, powerful and very easy to use. You only need 3 minutes to learn.
2016-04-19 15:42:10 +00:00
- Bash, dash and sh compatible.
2016-04-15 10:50:40 +00:00
- Simplest shell script for Let's Encrypt free certificate client.
2016-04-16 15:10:46 +00:00
- Purely written in Shell with no dependencies on python or Let's Encrypt official client.
2016-04-15 10:50:40 +00:00
- Just one script, to issue, renew and install your certificates automatically.
2016-04-21 13:12:48 +00:00
- DOES NOT require `root/sudoer` access.
2015-12-26 13:44:39 +00:00
2016-04-15 10:50:40 +00:00
It's probably the `easiest&smallest&smartest` shell script to automatically issue & renew the free certificates from Let's Encrypt.
2015-12-26 13:44:39 +00:00
2016-04-14 13:44:26 +00:00
Wiki: https://github.com/Neilpang/acme.sh/wiki
2016-04-05 14:48:33 +00:00
2016-01-23 15:04:42 +00:00
#Tested OS
2016-04-21 13:09:08 +00:00
| NO | Status| Platform|
|----|-------|---------|
|1|[![](https://cdn.rawgit.com/Neilpang/letest/master/status/ubuntu-latest.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)| Ubuntu
|2|[![](https://cdn.rawgit.com/Neilpang/letest/master/status/debian-latest.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)| Debian
|3|[![](https://cdn.rawgit.com/Neilpang/letest/master/status/centos-latest.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|CentOS
|4|[![](https://cdn.rawgit.com/Neilpang/letest/master/status/windows.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|Windows (cygwin with curl, openssl and crontab included)
|5|[![](https://cdn.rawgit.com/Neilpang/letest/master/status/freebsd.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|FreeBSD
|6|[![](https://cdn.rawgit.com/Neilpang/letest/master/status/pfsense.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|pfsense
|7|[![](https://cdn.rawgit.com/Neilpang/letest/master/status/opensuse-latest.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|openSUSE
|8|[![](https://cdn.rawgit.com/Neilpang/letest/master/status/alpine-latest.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|Alpine Linux (with curl)
|9|[![](https://cdn.rawgit.com/Neilpang/letest/master/status/base-archlinux.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|Archlinux
|10|[![](https://cdn.rawgit.com/Neilpang/letest/master/status/fedora-latest.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|fedora
|11|[![](https://cdn.rawgit.com/Neilpang/letest/master/status/kalilinux-kali-linux-docker.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|Kali Linux
|12|[![](https://cdn.rawgit.com/Neilpang/letest/master/status/oraclelinux-latest.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|Oracle Linux
|13|[![](https://cdn.rawgit.com/Neilpang/letest/master/status/proxmox.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)| Proxmox https://pve.proxmox.com/wiki/HTTPSCertificateConfiguration#Let.27s_Encrypt_using_acme.sh
2016-04-24 05:57:50 +00:00
|14|-----| Cloud Linux https://github.com/Neilpang/le/issues/111
|15|[![](https://cdn.rawgit.com/Neilpang/letest/master/status/openbsd.svg)](https://github.com/Neilpang/letest#here-are-the-latest-status)|OpenBSD
2015-12-26 13:44:39 +00:00
2016-04-15 10:50:40 +00:00
For all build statuses, check our [daily build project ](https://github.com/Neilpang/acmetest ):
2015-12-26 13:44:39 +00:00
2016-04-14 13:44:26 +00:00
https://github.com/Neilpang/acmetest
2016-03-11 13:57:05 +00:00
2016-04-15 10:50:40 +00:00
# Supported Mode
2016-01-10 02:59:51 +00:00
1. Webroot mode
2. Standalone mode
3. Apache mode
2016-01-21 16:17:20 +00:00
4. Dns mode
2016-01-10 02:59:51 +00:00
2016-04-14 13:44:26 +00:00
# Upgrade from 1.x to 2.x
2016-04-15 10:50:40 +00:00
2016-04-10 04:54:01 +00:00
You can simply uninstall 1.x and re-install 2.x.
2016-04-15 10:50:40 +00:00
2.x is 100% compatible to 1.x. You will feel right at home as if nothing has changed.
2016-04-10 04:54:01 +00:00
2016-04-14 13:44:26 +00:00
# le.sh renamed to acme.sh NOW!
2016-04-15 10:50:40 +00:00
All configurations are 100% compatible between `le.sh` and `acme.sh` . You just need to uninstall `le.sh` and re-install `acme.sh` again.
Nothing will be broken during the process.
# How to install
2015-12-26 13:44:39 +00:00
2016-04-13 15:36:32 +00:00
### 1. Install online:
2015-12-26 13:44:39 +00:00
2016-04-24 10:50:09 +00:00
Check this project: https://github.com/Neilpang/get.acme.sh
2016-04-14 14:27:51 +00:00
2016-04-15 10:50:40 +00:00
```bash
2016-04-16 15:10:46 +00:00
curl https://get.acme.sh | sh
2016-03-27 12:43:32 +00:00
```
Or:
2016-04-15 10:50:40 +00:00
```bash
2016-04-16 15:10:46 +00:00
wget -O - https://get.acme.sh | sh
2016-03-27 12:43:32 +00:00
```
2016-04-13 15:36:32 +00:00
### 2. Or, Install from git:
2016-04-15 10:50:40 +00:00
2016-03-27 12:43:32 +00:00
Clone this project:
2016-04-15 10:50:40 +00:00
```bash
2016-04-14 13:44:26 +00:00
git clone https://github.com/Neilpang/acme.sh.git
2016-04-15 10:50:40 +00:00
cd ./acme.sh
2016-04-14 13:44:26 +00:00
./acme.sh --install
2015-12-26 13:44:39 +00:00
```
2016-03-27 12:43:32 +00:00
2016-04-15 10:50:40 +00:00
You `don't have to be root` then, although `it is recommended` .
2016-04-21 13:43:28 +00:00
Advanced Installation: https://github.com/Neilpang/acme.sh/wiki/How-to-install
2016-04-15 10:50:40 +00:00
The installer will perform 3 actions:
2016-01-23 15:04:42 +00:00
2016-04-15 10:50:40 +00:00
1. Create and copy `acme.sh` to your home dir (`$HOME`): `~/.acme.sh/` .
All certs will be placed in this folder.
2016-04-24 10:50:09 +00:00
2. Create alias for: `acme.sh=~/.acme.sh/acme.sh` .
2016-04-15 10:50:40 +00:00
3. Create everyday cron job to check and renew the cert if needed.
Cron entry example:
```bash
0 0 * * * "/home/user/.acme.sh"/acme.sh --cron --home "/home/user/.acme.sh" > /dev/null
```
2015-12-27 05:52:46 +00:00
2016-04-15 10:50:40 +00:00
After the installation, you must close current terminal and reopen again to make the alias take effect.
2015-12-27 05:52:46 +00:00
2016-03-10 05:47:35 +00:00
Ok, you are ready to issue cert now.
2015-12-26 13:44:39 +00:00
Show help message:
2016-04-15 10:50:40 +00:00
2015-12-26 13:44:39 +00:00
```
2016-04-14 13:44:26 +00:00
root@v1:~# acme.sh
https://github.com/Neilpang/acme.sh
2016-04-16 09:27:30 +00:00
v2.1.1
2016-04-14 13:44:26 +00:00
Usage: acme.sh command ...[parameters]....
2016-04-09 15:40:59 +00:00
Commands:
--help, -h Show this help message.
--version, -v Show version info.
2016-04-14 13:44:26 +00:00
--install Install acme.sh to your system.
--uninstall Uninstall acme.sh, and uninstall the cron job.
2016-04-09 15:40:59 +00:00
--issue Issue a cert.
--installcert Install the issued cert to apache/nginx or any other server.
--renew, -r Renew a cert.
--renewAll Renew all the certs
--revoke Revoke a cert.
--installcronjob Install the cron job to renew certs, you don't need to call this. The 'install' command can automatically install the cron job.
--uninstallcronjob Uninstall the cron job. The 'uninstall' command can do this automatically.
--cron Run cron job to renew all the certs.
--toPkcs Export the certificate and key to a pfx file.
--createAccountKey, -cak Create an account private key, professional use.
--createDomainKey, -cdk Create an domain private key, professional use.
--createCSR, -ccsr Create CSR , professional use.
Parameters:
--domain, -d domain.tld Specifies a domain, used to issue, renew or revoke etc.
--force, -f Used to force to install or force to renew a cert immediately.
--staging, --test Use staging server, just for test.
--debug Output debug info.
--webroot, -w /path/to/webroot Specifies the web root folder for web root mode.
--standalone Use standalone mode.
--apache Use apache mode.
--dns [dns-cf|dns-dp|dns-cx|/path/to/api/file] Use dns mode or dns api.
--keylength, -k [2048] Specifies the domain key length: 2048, 3072, 4096, 8192 or ec-256, ec-384.
--accountkeylength, -ak [2048] Specifies the account key length.
These parameters are to install the cert to nginx/apache or anyother server after issue/renew a cert:
--certpath /path/to/real/cert/file After issue/renew, the cert will be copied to this path.
--keypath /path/to/real/key/file After issue/renew, the key will be copied to this path.
--capath /path/to/real/ca/file After issue/renew, the intermediate cert will be copied to this path.
--fullchainpath /path/to/fullchain/file After issue/renew, the fullchain cert will be copied to this path.
--reloadcmd "service nginx reload" After issue/renew, it's used to reload the server.
--accountconf Specifies a customized account config file.
2016-04-16 09:27:30 +00:00
--home Specifies the home dir for acme.sh .
2016-04-16 11:05:53 +00:00
--certhome Specifies the home dir to save all the certs, only valid for '--install' command.
2016-04-16 09:27:30 +00:00
--useragent Specifies the user agent string. it will be saved for future use too.
2016-04-16 09:56:45 +00:00
--accountemail Specifies the account email for registering, Only valid for the '--install' command.
2016-04-16 10:15:36 +00:00
--accountkey Specifies the account key path, Only valid for the '--install' command.
--days Specifies the days to renew the cert when using '--issue' command. The max value is 80 days.
2016-04-16 09:27:30 +00:00
2015-12-26 13:44:39 +00:00
```
# Just issue a cert:
2016-03-07 01:52:54 +00:00
2016-04-15 10:50:40 +00:00
**Example 1:** Single domain.
2016-03-07 01:52:54 +00:00
2016-04-15 10:50:40 +00:00
```bash
acme.sh --issue -d aa.com -w /home/wwwroot/aa.com
2015-12-26 13:44:39 +00:00
```
2016-04-15 10:50:40 +00:00
**Example 2:** Multiple domains in the same cert.
```bash
acme.sh --issue -d aa.com -d www.aa.com -d cp.aa.com -w /home/wwwroot/aa.com
2015-12-26 13:44:39 +00:00
```
2016-03-07 01:52:54 +00:00
2016-04-15 10:50:40 +00:00
The parameter `/home/wwwroot/aa.com` is the web root folder. You **MUST** have `write access` to this folder.
2015-12-26 13:44:39 +00:00
2016-04-15 10:50:40 +00:00
Second argument ** "aa.com"** is the main domain you want to issue cert for.
You must have at least a domain there.
2015-12-26 13:44:39 +00:00
2016-04-15 10:50:40 +00:00
You must point and bind all the domains to the same webroot dir: `/home/wwwroot/aa.com` .
2015-12-26 13:44:39 +00:00
2016-04-15 10:50:40 +00:00
Generate/issued certs will be placed in `~/.acme.sh/aa.com/`
2015-12-26 13:44:39 +00:00
2016-01-23 15:04:42 +00:00
The issued cert will be renewed every 80 days automatically.
2015-12-26 13:44:39 +00:00
2016-04-14 13:44:26 +00:00
More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert
2016-04-09 15:40:59 +00:00
2016-01-23 15:04:42 +00:00
# Install issued cert to apache/nginx etc.
2016-04-09 15:40:59 +00:00
2016-04-15 10:50:40 +00:00
After you issue a cert, you probably want to install the cert with your nginx/apache or other servers you may be using.
```bash
acme.sh --installcert -d aa.com \
2016-04-09 15:40:59 +00:00
--certpath /path/to/certfile/in/apache/nginx \
--keypath /path/to/keyfile/in/apache/nginx \
--capath /path/to/ca/certfile/apache/nginx \
--fullchainpath path/to/fullchain/certfile/apache/nginx \
--reloadcmd "service apache2|nginx reload"
2015-12-26 13:44:39 +00:00
```
2016-01-23 15:04:42 +00:00
2016-04-09 15:40:59 +00:00
Only the domain is required, all the other parameters are optional.
2016-01-23 15:04:42 +00:00
Install the issued cert/key to the production apache or nginx path.
2016-04-15 10:50:40 +00:00
The cert will be `renewed every 80 days by default` (which is configurable). Once the cert is renewed, the apache/nginx will be automatically reloaded by the command: `service apache2 reload` or `service nginx reload` .
2015-12-26 13:44:39 +00:00
2016-04-15 10:50:40 +00:00
# Use Standalone server to issue cert
2015-12-26 13:44:39 +00:00
2016-04-15 10:50:40 +00:00
**(requires you be root/sudoer, or you have permission to listen tcp 80 port)**
2016-01-05 13:59:27 +00:00
2016-04-15 10:50:40 +00:00
Same usage as above, just give `no` as `--webroot` or `-w` .
The tcp `80` port **MUST** be free to listen, otherwise you will be prompted to free the `80` port and try again.
```bash
acme.sh --issue --standalone -d aa.com -d www.aa.com -d cp.aa.com
2016-01-05 13:59:27 +00:00
```
2016-04-14 13:44:26 +00:00
More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert
2016-04-09 15:40:59 +00:00
2016-04-15 10:50:40 +00:00
# Use Apache mode
**(requires you be root/sudoer, since it is required to interact with apache server)**
If you are running a web server, apache or nginx, it is recommended to use the `Webroot mode` .
2016-04-09 15:40:59 +00:00
2016-04-15 10:50:40 +00:00
Particularly, if you are running an apache server, you should use apache mode instead. This mode doesn't write any files to your web root folder.
2016-01-10 02:59:51 +00:00
2016-04-15 10:50:40 +00:00
Just set string "apache" as the second argument, it will force use of apache plugin automatically.
2016-01-10 02:59:51 +00:00
```
2016-04-15 10:50:40 +00:00
acme.sh --issue --apache -d aa.com -d www.aa.com -d user.aa.com
2016-01-10 02:59:51 +00:00
```
2016-04-09 15:40:59 +00:00
2016-04-14 13:44:26 +00:00
More examples: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert
2016-01-10 02:59:51 +00:00
2016-01-21 16:16:43 +00:00
# Use DNS mode:
2016-04-15 10:50:40 +00:00
Support the `dns-01` challenge.
```bash
acme.sh --issue --dns -d aa.com -d www.aa.com -d user.aa.com
2016-01-21 16:16:43 +00:00
```
2016-04-15 10:50:40 +00:00
You should get the output like below:
2016-01-21 16:16:43 +00:00
```
Add the following txt record:
Domain:_acme-challenge.aa.com
Txt value:9ihDbjYfTExAYeDs4DBUeuTo18KBzwvTEjUnSwd32-c
Add the following txt record:
Domain:_acme-challenge.www.aa.com
Txt value:9ihDbjxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Please add those txt records to the domains. Waiting for the dns to take effect.
```
2016-04-15 10:50:40 +00:00
Then just rerun with `renew` argument:
```bash
acme.sh --renew -d aa.com
2016-01-21 16:16:43 +00:00
```
Ok, it's finished.
2016-04-15 10:50:40 +00:00
# Automatic DNS API integration
2016-01-21 16:16:43 +00:00
2016-04-15 10:50:40 +00:00
If your DNS provider supports API access, we can use API to automatically issue the certs.
2015-12-26 13:44:39 +00:00
2016-04-15 10:50:40 +00:00
You don't have do anything manually!
2016-01-30 15:15:30 +00:00
2016-04-15 10:50:40 +00:00
### Currently acme.sh supports:
2016-02-07 10:37:04 +00:00
2016-04-15 10:50:40 +00:00
1. Cloudflare.com API
2. Dnspod.cn API
3. Cloudxns.com API
2016-04-14 13:44:26 +00:00
4. AWS Route 53, see: https://github.com/Neilpang/acme.sh/issues/65
2016-01-30 15:15:30 +00:00
2016-04-15 10:50:40 +00:00
##### More APIs are coming soon...
2016-01-30 15:15:30 +00:00
2016-04-15 10:50:40 +00:00
If your DNS provider is not on the supported list above, you can write your own script API easily. If you do please consider submitting a [Pull Request ](https://github.com/Neilpang/acme.sh/pulls ) and contribute to the project.
2016-01-30 15:15:30 +00:00
2016-02-07 10:37:04 +00:00
For more details: [How to use dns api ](dnsapi )
2016-01-30 15:15:30 +00:00
2016-02-12 09:56:50 +00:00
# Issue ECC certificate:
2016-04-15 10:50:40 +00:00
`Let's Encrypt` now can issue **ECDSA** certificates.
2016-02-12 09:56:50 +00:00
And we also support it.
2016-03-02 14:53:07 +00:00
Just set the `length` parameter with a prefix `ec-` .
2016-04-15 10:50:40 +00:00
2016-02-12 09:56:50 +00:00
For example:
2016-03-10 06:17:47 +00:00
2016-04-15 10:50:40 +00:00
### Single domain ECC cerfiticate:
2016-03-10 06:17:47 +00:00
2016-04-15 10:50:40 +00:00
```bash
acme.sh --issue -w /home/wwwroot/aa.com -d aa.com --keylength ec-256
2016-02-12 09:56:50 +00:00
```
2016-04-15 10:50:40 +00:00
SAN multi domain ECC certificate:
```bash
acme.sh --issue -w /home/wwwroot/aa.com -d aa.com -d www.aa.com --keylength ec-256
2016-03-10 06:17:47 +00:00
```
2016-02-12 09:56:50 +00:00
Please look at the last parameter above.
Valid values are:
2016-04-15 10:50:40 +00:00
1. **ec-256 (prime256v1, "ECDSA P-256")**
2. **ec-384 (secp384r1, "ECDSA P-384")**
3. **ec-521 (secp521r1, "ECDSA P-521", which is not supported by Let's Encrypt yet.)**
2016-02-12 09:56:50 +00:00
2016-04-15 10:50:40 +00:00
# Under the Hood
2015-12-26 13:44:39 +00:00
2016-04-16 15:10:46 +00:00
Speak ACME language using shell, directly to "Let's Encrypt".
2015-12-26 13:44:39 +00:00
TODO:
2016-04-15 10:50:40 +00:00
# Acknowledgment
2016-01-11 05:23:02 +00:00
1. Acme-tiny: https://github.com/diafygi/acme-tiny
2. ACME protocol: https://github.com/ietf-wg-acme/acme
3. letsencrypt: https://github.com/letsencrypt/letsencrypt
2016-04-15 10:50:40 +00:00
# License & Other
2015-12-26 13:44:39 +00:00
License is GPLv3
2015-12-26 13:47:28 +00:00
Please Star and Fork me.
2015-12-26 13:44:39 +00:00
2016-04-15 10:50:40 +00:00
[Issues ](https://github.com/Neilpang/acme.sh/issues ) and [pull requests ](https://github.com/Neilpang/acme.sh/pulls ) are welcomed.
2015-12-26 13:44:39 +00:00