I have successfully generated a certificate for my domain. It works perfectly, I have used
acme.sh to generate it.
However, today my certificate expired and my website was down. I thought the point of using
acme.sh was to auto-renew these certificates?
I was able to make my website working again my manually entering the following two commands:
acme.sh --renew -d example.com
systemctl reload nginx
How would I configure my server to auto-renew my certificates in the future? Normally I followed the same steps as here (it is for a different website though).
crontab -l is empty for root and normal user.
I also noticed that executing
acme.sh --list as root gives a different output then when I run it as normal user.
Main_Domain KeyLength SAN_Domains CA Created Renew
example.com "" no ZeroSSL.com
For the normal user all columns have a value.
How to configure this properly?
It looks like you're using ZeroSSL as the CA. This is the Let's Encrypt Community, which is a different CA. I'd like you to refer to the
acme.sh documentation, which is quite terrible. Personally I have no experience with that ACME client. It might be as simple as you just need to add a cronjob manually? Or perhaps run some
acme.sh command which does that for you? I dunno
If you don't have a cronjob for acme.sh, it's possible you haven't installed it properly. How have you setup acme.sh?
The installation section in the README mentions various possibilities, including:
- an online shell script (very ease to use, though it's generally not recommended to execute arbitrary unverified code)
- manually setting up the cronjob is fine as well
The acme.sh installation (primarily it's config directory) is relative to the current user's home directory. It is important to run all acme.sh commands (including the cronjob) as the same user. It's generally easiest to run acme.sh (always) as root, but running as non-root also works, if configured appropriately.
Looks like I'm "late to the party"!
Most know that Lets Encrypt is no longer the "DEFAULT Certificate Authority" for the shell script, acme.sh.
TO ENSURE LET'S ENCRYPT IS THE CA OF CHOICE EDIT ACME.SH
Verify Line 23:
Verify Line 23:
And change it to:
Line 38: DEFAULT_CA=$CA_LETSENCRYPT_V2
Line 39: DEFAULT_STAGING_CA=$CA_LETSENCRYPT_V2_TEST
I think it is interesting the author chose to continue using LET'S ENCRYPT'S staging environment. Most other CA's apparently do not have a testing environment as robust as ours.
(buypass and google have one)
Isn't it easier to do below? The setting is thus preserved over acme.sh script updates
acme.sh --set-default-ca --server letsencrypt
Thanks Mike! Yes it actually is. Either way works. When I looked at my configuration the default CA was Z-ssl .... and i have always used LE... I modified it anyway I have certs renewing tomorrow. It will be interesting to see if any objections occur from the change.
Since I don't run these from the command line I prefer to change the configuration, to be sure.