# acme.sh TLS Certificates ## Install acme.sh Add separate user acmeuser. ```bash adduser --disabled-login acmeuser ``` Install acme.sh as separate user acmeuser ```bash mkdir /etc/acmesh chown acmeuser /etc/acmesh sudo -su acmeuser # Run these commands as user acmeuser cd ~ git clone https://github.com/acmesh-official/acme.sh.git cd acme.sh ./acme.sh --install \ --home /etc/acmesh \ --accountemail "hostmaster@domain.tld" cd ~ && rm -r acme.sh source ~/.bashrc acme.sh --set-default-ca --server letsencrypt ``` ## Set up DNS validation with knsupdate (Knot) Specify the DNS server which hosts your zone and the TSIG key which can update the zone via dynamic updates. ```bash apt install -y knot-dnsutils export KNOT_SERVER="dns.domain.tld" export KNOT_KEY=hmac-sha512:sub.domain.tld:SuperSecretKey== ``` ## Issue a certificate ```bash DOMAINLE=sub.domain.tld; acme.sh --issue -d $DOMAINLE --dns dns_knot --ecc -k ec-384 ``` ## Install a certificate ```bash # --cert-file Path to copy the cert file to after issue/renew. # --key-file Path to copy the key file to after issue/renew. # --ca-file Path to copy the intermediate cert file to after issue/renew. # --fullchain-file Path to copy the fullchain cert file to after issue/renew. # --reloadcmd Command to execute after issue/renew to reload the server. DOMAINLE=sub.domain.tld CERTPATH=/etc/ssl/private/$DOMAINLE mkdir -p $CERTPATH acme.sh --install-cert -d $DOMAINLE --ecc \ --fullchain-file $CERTPATH/fullchain.pem \ --key-file $CERTPATH/privkey.pem \ --ca-file $CERTPATH/chain.pem \ --reloadcmd "/usr/bin/systemctl reload nginx.service" ``` ## Set up notifications Follow instructions for [gotify notifications](https://code.strobeto.de/strobeltobias/acme.sh-notify-hooks#set-notification-for-gotify-webhooks) first. Enable notifications via mail (requires local MTA set up for sending mails) and gotify. ```bash acme.sh --set-notify \ --notify-hook mail \ --notify-hook gotify \ --notify-level 2 \ --notify-mode 0 ``` ## Set correct permissions ```bash usermod -a -G www-data acmeuser chown -R acmeuser:ssl-cert /etc/ssl/private chown root:ssl-cert /etc/ssl/private/ssl-cert-snakeoil.key chmod -R 750 /etc/ssl/private find /etc/ssl/private/ -type f -print0 | xargs -0 chmod 0640 ```