Objective: To acquire and install a wildcard SSL/TLS certificate from LetsEncrypt.org to a GNU/Linux system with automatic renewal enabled by using a registrar’s DNS API to prove the ownership of the domain. In this case I’m using the Gandi LiveDNS API but the instructions work with other DNS providers with APIs too that have acme.sh DNS plugins available.
Install acme.sh
- Followed the official acme.sh installation instructions at GitHub as follows
sudo su git clone https://github.com/Neilpang/acme.sh.git cd ./acme.sh ./acme.sh --install
Get API key from Gandi
Go to https://account.gandi.net/ and click on “security” and generate an API key and store it in a safe place and export it with
export GANDI_LIVEDNS_KEY="fdmlfsdklmfdkmqsdfkthiskeyisofcoursefake"
Generate the cert
Followed the official acme.sh DNS API instructions at GitHub.
Now use the staging environment (–test) for the certificate issuing. This will save you on the issuing limits of LetsEncrypt.org production platform.
acme.sh --issue --test --log --dns dns_gandi_livedns --log -d *.domain.tld -d domain.tld
Notice that this will fail on the first run but succeed on the second one.
Once the –test finishes successfully you can switch to the production environment by deleting the /root/.acme.sh/*.domain.tld-directory (it contains the staging server’s information and will be regenerated with the production server’s info on next run)
rm -rf /root/.acme.sh/*.domain.tld
Now run the issuing command twice (it will fail on the first run) just changing –test to –force
acme.sh --issue --force --log --dns dns_gandi_livedns --log -d *.domain.tld -d domain.tld
Install the certificate in some sensible place as the directory structure of /root/.acme.sh may change in the future.
Certificate deployment instructions for Apache at acme.sh GitHub
acme.sh --install-cert -d *.domain.tld -d domain.tld \ --cert-file /etc/apache2/acme.sh/*.domain.tld/*.domain.tld.cer \ --key-file /etc/apache2/acme.sh/*.domain.tld/*.domain.tld.key \ --fullchain-file /etc/apache2/acme.sh/*.domain.tld/fullchain.cer \ --reloadcmd "service apache2 force-reload"
Edit Apache configuration to take the SSL/TLS protected site into use
Create a VirtualHost-directive for the SSL/TLS protected site
<VirtualHost *:443> ... SSLEngine on SSLCertificateFile /etc/apache2/acme.sh/*.domain.tld/*.domain.tld.cer SSLCertificateKeyFile /etc/apache2/acme.sh/*.domain.tld/*.domain.tld.key SSLCACertificateFile /etc/apache2/acme.sh/*.domain.tld/fullchain.cer </VirtualHost>
- Test the https-site by visiting it
- Also test the SSL/TLS configuration by running the awesome https://www.ssllabs.com/ssltest/
Once you are sure that the HTTPS site works redirect requests from the http-site to the HTTPS site with URL rewriting.
RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
Enable forward secrecy in your Apache configuration
Enabling forward secrecy makes users of the site more secure. Instructions by SSLLabs research here at GitHub.
That’s it. The acme.sh installation added a cronjob to run it daily and it will renew the certificate automatically when it is nearing the end of it’s validity period.
UPDATE 2018-07-16: If you need to use more than one API Key do as follows. This usually occurs when you are hosting sites for many different registrants.
Export the API key if this is the first time you are using that key. If you have already created certificates with this API key the acme.sh will read it from the config file from the file /root/.acme.sh/yourconfigdirectory/account.conf
acme.sh --issue --config-home /root/.acme.sh/yourconfigdirectory --log --dns dns_gandi_livedns --log -d *.domain.tld -d domain.tld
First run will fail. Run it again.
Create the target directory for certificate installation.
mkdir /etc/apache2/acme.sh/yourconfigdirectory/\*.domain.tld
Now install the certificate
./acme.sh --install-cert --config-home /root/.acme.sh/yourconfigdirectory -d *.domain.tld -d domain.tld \ --cert-file /etc/apache2/acme.sh/yourconfigdirectory/\*.domain.tld/\*.domain.tld.cer \ --key-file /etc/apache2/acme.sh/yourconfigdirectory/\*.domain.tld/\*.domain.tld.key \ --fullchain-file /etc/apache2/acme.sh/yourconfigdirectory/\*.domain.tld/fullchain.cer \ --reloadcmd "service apache2 force-reload"
Now you are ready to proceed to configure your website’s Apache configuration as described in the original instructions (scroll up).
If you have any improvement suggestions or would just like to say thanks you can use the contact form below.