« Previous 1 2
Obtain certificates with acme.sh
Simply Certified
Obtaining a Certificate with acme.sh
The Certbot client [4] is well documented on the Internet, so I will instead look at the easiest way to get a certificate from an ACME server by introducing the acme.sh
shell script tool [5]. Unlike Certbot, it has only a few dependencies on other software packages. Nevertheless, it is almost identical in terms of functionality.
Instead of using the tool with the Let's Encrypt certification authority, you can of course use any other ACME-compliant server. For example, Dogtag [6] or the FreeIPA [6] identity management framework supports the ACME protocol. In these cases, however, you must make sure that you explicitly designate the ACME server with the --server
option.
To begin, either download the ACME client from the official GitHub site [5], or simply install it with:
curl https://get.acme.sh | sh -s email=user@example.com
The configuration is already set up in ~/.acme.sh/
. To start a registration for your account on the ACME server, call the tool and create the certificate request:
acme.sh --register-account acme.sh --issue --standalone -d www.example.com
The socat
tool starts a simple web server on port 80, through which the ACME server can communicate with the client. If everything works, you will be able to view the details of the certificate you just issued with openssl
(Listing 1).
Listing 1
Viewing Certificate
openssl x509 -in /home/tscherf/.acme.sh/www.example.com/www.example.com.cer -noout -issuer -subject -dates -serial issuer= /C=US/O=Let's Encrypt/CN=R3 subject= /CN=www.example.com notBefore=Feb 21 13:00:28 2021 GMT notAfter=May 22 13:00:28 2021 GMT serial=03B46ADF0F26B94C19443669ABD0C5100356
In the next step, you only have to include the complete certificate chain in the desired service. To use the tool with other challenge types or in more complex setups, as always, I recommend taking a look at the software documentation [5].
Conclusion
The ACME protocol is becoming increasingly popular. A whole range of products now use it, helping to spread the use of X.509 even further. The acme.sh
shell script is a very lightweight ACME client that compares well with better known clients such as Certbot.
Infos
- Let's Encrypt project: https://letsencrypt.org
- ACME RFC8555: https://datatracker.ietf.org/doc/html/rfc8555
- ACME extension RFC8737: https://datatracker.ietf.org/doc/html/rfc8737
- ACME Certbot client: https://certbot.eff.org
- ACME shell script: https://github.com/acmesh-official/acme.sh
- Dogtag ACME Responder: https://github.com/dogtagpki/pki/wiki/ACME-Responde
« Previous 1 2
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.