What is Let’s Encrypt

Since Let’s Encrypt is a non-profit organization that needs to control expenses, they did something very creative by designing an ACME protocol, which is currently at version v2.

Why create the ACME protocol? Traditional CA authorities manually process certificate applications, certificate renewals, and certificate revocations, all handled manually. The ACME protocol standardizes the processes of certificate application, renewal, revocation, etc. As long as a client implements the functionality of this protocol, certificates can be applied for from Let’s Encrypt through the client, which means that Let’s Encrypt CA is completely automated.

Anyone can implement a client based on the ACME protocol, and the officially recommended client is Certbot. In this blog post, I’m using acme.sh (ACME Shell script).

What is a Wildcard Certificate

Before wildcard certificates appeared, Let’s Encrypt supported two types of certificates.

  • Single domain certificate: The certificate only includes one host.
  • SAN certificate: One certificate can include multiple hosts, meaning the certificate can contain hosts like: www.betterde.com, george.betterde.com, *.betterde.com, etc.

Methods to Verify Domain Ownership

Currently, Let’s Encrypt supports three verification methods:

  • dns-01: Add a DNS TXT record to the domain;
  • http-01: Place an HTTP well-known URL resource file under the web server corresponding to the domain;
  • tls-sni-01: Place an HTTPS well-known URL resource file under the web server corresponding to the domain.

About ACME Shell script

acme.sh is an open-source project that implements the acme protocol in Shell, with the following features:

  • Supports ACME v1
  • Supports ACME v2
  • Supports wildcard certificate applications
  • Simple to use
  • Supports IPv6
  • Supports automatic certificate renewal via Cron
  • Supports multiple CA authorities
  • Supports multiple domain ownership verification methods: Webroot, Standalone, Standalone tls-alpn, Apache, Nginx, DNS, DNS alias, and Stateless

Using ACME Shell script

Installation

curl https://get.acme.sh | sh

During installation, the script will perform the following operations:

  1. Create a .acme.sh directory in the current user’s $HOME directory
  2. Create a command alias acme.sh=~/.acme.sh/acme.sh
  3. Create a cron job for checking and renewing certificates
0 0 * * * "/home/user/.acme.sh"/acme.sh --cron --home "/home/user/.acme.sh" > /dev/null

Domain Ownership Verification Method

This article uses Alibaba Cloud DNS. For full automation, you need to first obtain the Key and Secret from the Alibaba Cloud console, click to get. For other methods, please refer to the Github project documentation for acme.sh.

After obtaining the Key and Secret, execute in the command line:

export Ali_Key="Copy your Key here"
export Ali_Secret="Copy your Secret here"

When you execute acme.sh, it will automatically save this information to the ~/.acme.sh/account.conf file for use during the next automatic renewal

Apply for a Wildcard Certificate

acme.sh --issue --dns dns_ali -d example.com -d *.example.com
  • dns_ali is the service provider name, refer to the official documentation for specifics;
  • The first domain is your main domain that you want to apply for, such as: bettere.com;
  • The second is the wildcard domain, such as: *.betterde.com;

This method will automatically add a txt record to your domain for verification. After successful verification, this record will be deleted, so it’s seamless for you, but you’ll need to wait about 120 seconds. After the certificate is successfully generated, it is saved by default in ~/.acme.sh/ under your top-level domain.

After execution, a directory corresponding to the domain will be generated under the ~/.acme.sh/ directory, with the following structure:

.
├── backup              # When generating a new certificate, the old certificate is backed up to this directory
│   ├── fullchain.bak
│   └── key.bak
├── example.com.cer
├── example.com.conf    # Domain configuration file, which saves the certificate's validity date, verification method, etc.
├── example.com.csr
├── example.com.csr.conf
├── example.com.key
├── ca.cer
└── fullchain.cer

Deploy Certificate

acme.sh --install-cert -d example.com \
--key-file /path/to/keyfile/in/nginx/key.pem \
--fullchain-file /path/to/fullchain/nginx/cert.pem \
--reloadcmd "service nginx reload"

The above command is used to deploy certificate files to the specified directory, and at the same time write the configuration information to the ~/.acme.sh/DOMAIN/DOMAIN.conf file for redeployment during renewal. The reloadcmd command is used to tell the HTTP server to reload the configuration file and certificate. Please define it according to your own HTTP server.

Completion

At this point, our certificate application is complete. In the next article, I will introduce how to configure HTTPS for Nginx.

I hope this is helpful, Happy hacking…