Obtain certificates with acme.sh

Simply Certified

Obtaining a Certificate with  acme.sh

The Certbot client [4] is well documented on the Internet, so I will instead look at the easiest way to get a certificate from an ACME server by introducing the acme.sh shell script tool [5]. Unlike Certbot, it has only a few dependencies on other software packages. Nevertheless, it is almost identical in terms of functionality.

Instead of using the tool with the Let's Encrypt certification authority, you can of course use any other ACME-compliant server. For example, Dogtag [6] or the FreeIPA [6] identity management framework supports the ACME protocol. In these cases, however, you must make sure that you explicitly designate the ACME server with the --server option.

To begin, either download the ACME client from the official GitHub site  [5], or simply install it with:

curl https://get.acme.sh | sh -s email=user@example.com

The configuration is already set up in ~/.acme.sh/. To start a registration for your account on the ACME server, call the tool and create the certificate request:

acme.sh --register-account
acme.sh --issue --standalone -d www.example.com

The socat tool starts a simple web server on port 80, through which the ACME server can communicate with the client. If everything works, you will be able to view the details of the certificate you just issued with openssl (Listing 1).

Listing 1

Viewing Certificate

openssl x509 -in /home/tscherf/.acme.sh/www.example.com/www.example.com.cer -noout -issuer -subject -dates -serial
issuer= /C=US/O=Let's Encrypt/CN=R3
subject= /CN=www.example.com
notBefore=Feb 21 13:00:28 2021 GMT
notAfter=May 22 13:00:28 2021 GMT
serial=03B46ADF0F26B94C19443669ABD0C5100356

In the next step, you only have to include the complete certificate chain in the desired service. To use the tool with other challenge types or in more complex setups, as always, I recommend taking a look at the software documentation [5].

Conclusion

The ACME protocol is becoming increasingly popular. A whole range of products now use it, helping to spread the use of X.509 even further. The acme.sh shell script is a very lightweight ACME client that compares well with better known clients such as Certbot.

The Author

Thorsten Scherf is a Senior Principal Product Experience Engineer who works in the global Red Hat Identity Management team. You can meet him as a speaker at various conferences.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus