acme.sh
Let's Encrypt certificate
-
Create DNS record mail.domain.com
-
Allow incoming request on firewall
sudo firewall-cmd --zone=public --permanent --add-service=http sudo firewall-cmd --zone=public --permanent --add-service=https sudo firewall-cmd --reload
-
install tar and socat as they are required by acme.sh.
sudo dnf install vim tar socat -y
-
install acme.sh.
curl https://get.acme.sh | sh -s email=my@example.com
-
Create an alias for the acme.sh command so we can run acme.sh directly without specifying its full path.
echo 'alias acme.sh="/root/.acme.sh/acme.sh"' >> ~/.bash_aliases source ~/.bash_aliases
-
create a folder to store the generated certificates.
mkdir -p /etc/pki/tls/certs/staging mkdir -p /etc/pki/tls/certs/live
-
issue a staging SSL certificate, run this command:
acme.sh --issue -d "mail.domain.com" --cert-home /etc/pki/tls/certs/staging --standalone --debug --staging
-
issue a live certificate:
acme.sh --issue -d "mail.domain.com" --cert-home /etc/pki/tls/certs/live --standalone --debug
-
change the future SSL generation configured via crontab.
EDITOR=vim crontab -e
-
Replace the following cron to
11 16 * * * /root/.acme.sh/acme.sh --cron --home /root/.acme.sh --cert-home /etc/pki/tls/certs/live --standalone > /dev/null
-
Don't forget that on your client side you might need to check that Let's Encrypt certificates are trusted. You could download PEM files from https://letsencrypt.org/certificates/