DEV Community

Siswoyo Siswoyo
Siswoyo Siswoyo

Posted on

Implementing SSL with acme.sh on Ubuntu

#devops #ssl #nginx #ubuntu

This guide explains how to install and configure acme.sh for SSL certificate management using Let's Encrypt, integrate it with Nginx, set up automatic renewal with cron, and perform manual renewal if needed.

1️⃣ Install acme.sh

acme.sh is a pure shell script for managing SSL certificates.

curl https://get.acme.sh | sh
Enter fullscreen mode Exit fullscreen mode

Add it to your shell environment:

source ~/.bashrc
Enter fullscreen mode Exit fullscreen mode

Verify installation:

acme.sh --version
Enter fullscreen mode Exit fullscreen mode

2️⃣ Issue an SSL Certificate
Using Webroot Mode (Recommended for Nginx)
Replace yourdomain.com with your actual domain:

acme.sh --issue -d yourdomain.com -d www.yourdomain.com -w /var/www/html
Enter fullscreen mode Exit fullscreen mode

Certificates are stored in:

~/.acme.sh/yourdomain.com/
Enter fullscreen mode Exit fullscreen mode

3️⃣ Install the Certificate to Nginx

sudo mkdir -p /etc/nginx/ssl/yourdomain.com acme.sh --install-cert -d yourdomain.com \ --key-file /etc/nginx/ssl/yourdomain.com/key.pem \ --fullchain-file /etc/nginx/ssl/yourdomain.com/fullchain.pem \ --reloadcmd "systemctl reload nginx"
Enter fullscreen mode Exit fullscreen mode

4️⃣ Configure Nginx to Use SSL
Edit your Nginx config file (e.g., /etc/nginx/sites-available/yourdomain.conf):

server { listen 80; server_name yourdomain.com www.yourdomain.com; # Redirect HTTP to HTTPS return 301 https://$host$request_uri; } server { listen 443 ssl; server_name yourdomain.com www.yourdomain.com; ssl_certificate /etc/nginx/ssl/yourdomain.com/fullchain.pem; ssl_certificate_key /etc/nginx/ssl/yourdomain.com/key.pem; location / { root /var/www/html; index index.html; } }
Enter fullscreen mode Exit fullscreen mode

Test and reload Nginx:

sudo nginx -t sudo systemctl reload nginx
Enter fullscreen mode Exit fullscreen mode

5️⃣ Set Up Auto-Renewal with crontab
acme.sh usually sets this up automatically. Check:

crontab -l
Enter fullscreen mode Exit fullscreen mode

Expected output:

0 0 * * * "~/.acme.sh"/acme.sh --cron --home "~/.acme.sh" > /dev/null
Enter fullscreen mode Exit fullscreen mode

If not present, add manually:

crontab -e
Enter fullscreen mode Exit fullscreen mode

Insert:

0 0 * * * ~/.acme.sh/acme.sh --cron --home ~/.acme.sh > /dev/null
Enter fullscreen mode Exit fullscreen mode

6️⃣ Manually Renew Certificates
Renew a Single Domain
Force renewal before expiration:

acme.sh --renew -d yourdomain.com --force
Enter fullscreen mode Exit fullscreen mode

Reload Nginx:

sudo systemctl reload nginx
Enter fullscreen mode Exit fullscreen mode

Renew All Certificates
To renew all certificates managed by acme.sh at once:

acme.sh --renew-all --force
Enter fullscreen mode Exit fullscreen mode

Reload Nginx after renewal:

sudo systemctl reload nginx
Enter fullscreen mode Exit fullscreen mode

7️⃣ Useful Commands

  • List all issued certificates: 
acme.sh --list
Enter fullscreen mode Exit fullscreen mode
  • Revoke a certificate: 
acme.sh --revoke -d yourdomain.com
Enter fullscreen mode Exit fullscreen mode
  • Remove a certificate from acme.sh: 
acme.sh --remove -d yourdomain.com
Enter fullscreen mode Exit fullscreen mode

8️⃣ Troubleshooting

  • Open required ports: 
sudo ufw allow 80 sudo ufw allow 443
Enter fullscreen mode Exit fullscreen mode
  • Check Nginx logs: 
sudo tail -f /var/log/nginx/error.log
Enter fullscreen mode Exit fullscreen mode
  • Verify DNS points to your server.

✅ With this setup, SSL will be automatically renewed via cron, integrated with Nginx, and can be manually renewed anytime — either for one domain or all at once.

Top comments (0)