Skip to content

acme.sh

Let's Encrypt certificate

  • Create DNS record mail.domain.com

  • Allow incoming request on firewall

    sudo firewall-cmd --zone=public --permanent --add-service=http
    sudo firewall-cmd --zone=public --permanent --add-service=https
    sudo firewall-cmd --reload
    
  • install tar and socat as they are required by acme.sh.

    sudo dnf install vim tar socat -y
    
  • install acme.sh.

    curl https://get.acme.sh | sh -s email=my@example.com
    
  • Create an alias for the acme.sh command so we can run acme.sh directly without specifying its full path.

    echo 'alias acme.sh="/root/.acme.sh/acme.sh"' >> ~/.bash_aliases
    source ~/.bash_aliases
    
  • create a folder to store the generated certificates.

    mkdir -p /etc/pki/tls/certs/staging
    mkdir -p /etc/pki/tls/certs/live
    
  • issue a staging SSL certificate, run this command:

    acme.sh --issue -d "mail.domain.com" --cert-home /etc/pki/tls/certs/staging --standalone --debug --staging
    
  • issue a live certificate:

    acme.sh --issue -d "mail.domain.com" --cert-home /etc/pki/tls/certs/live --standalone --debug
    
  • change the future SSL generation configured via crontab.

    EDITOR=vim crontab -e
    
  • Replace the following cron to

    11 16 * * * /root/.acme.sh/acme.sh --cron --home /root/.acme.sh --cert-home /etc/pki/tls/certs/live --standalone > /dev/null
    
  • Don't forget that on your client side you might need to check that Let's Encrypt certificates are trusted. You could download PEM files from https://letsencrypt.org/certificates/