This guide explains how to install and configure acme.sh for SSL certificate management using Let's Encrypt, integrate it with Nginx, set up automatic renewal with cron, and perform manual renewal if needed.
1️⃣ Install acme.sh
acme.sh is a pure shell script for managing SSL certificates.
curl https://get.acme.sh | sh
Add it to your shell environment:
source ~/.bashrc
Verify installation:
acme.sh --version
2️⃣ Issue an SSL Certificate
Using Webroot Mode (Recommended for Nginx)
Replace yourdomain.com with your actual domain:
acme.sh --issue -d yourdomain.com -d www.yourdomain.com -w /var/www/html
Certificates are stored in:
~/.acme.sh/yourdomain.com/
3️⃣ Install the Certificate to Nginx
sudo mkdir -p /etc/nginx/ssl/yourdomain.com
acme.sh --install-cert -d yourdomain.com \
--key-file /etc/nginx/ssl/yourdomain.com/key.pem \
--fullchain-file /etc/nginx/ssl/yourdomain.com/fullchain.pem \
--reloadcmd "systemctl reload nginx"
4️⃣ Configure Nginx to Use SSL
Edit your Nginx config file (e.g., /etc/nginx/sites-available/yourdomain.conf):
server {
listen 80;
server_name yourdomain.com www.yourdomain.com;
# Redirect HTTP to HTTPS
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name yourdomain.com www.yourdomain.com;
ssl_certificate /etc/nginx/ssl/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/yourdomain.com/key.pem;
location / {
root /var/www/html;
index index.html;
}
}
Test and reload Nginx:
sudo nginx -t
sudo systemctl reload nginx
5️⃣ Set Up Auto-Renewal with crontab
acme.sh usually sets this up automatically. Check:
crontab -l
Expected output:
0 0 * * * "~/.acme.sh"/acme.sh --cron --home "~/.acme.sh" > /dev/null
If not present, add manually:
crontab -e
Insert:
0 0 * * * ~/.acme.sh/acme.sh --cron --home ~/.acme.sh > /dev/null
6️⃣ Manually Renew Certificates
Renew a Single Domain
Force renewal before expiration:
acme.sh --renew -d yourdomain.com --force
Reload Nginx:
sudo systemctl reload nginx
Renew All Certificates
To renew all certificates managed by acme.sh at once:
acme.sh --renew-all --force
Reload Nginx after renewal:
sudo systemctl reload nginx
7️⃣ Useful Commands
- List all issued certificates:
acme.sh --list
- Revoke a certificate:
acme.sh --revoke -d yourdomain.com
- Remove a certificate from acme.sh:
acme.sh --remove -d yourdomain.com
8️⃣ Troubleshooting
- Open required ports:
sudo ufw allow 80
sudo ufw allow 443
- Check Nginx logs:
sudo tail -f /var/log/nginx/error.log
- Verify DNS points to your server.
✅ With this setup, SSL will be automatically renewed via cron, integrated with Nginx, and can be manually renewed anytime — either for one domain or all at once.
Top comments (0)