Basic acme.sh questions

I'm trying to set up a certificate to use on my Raspberry Pi running nginx. I have a subdomain issued by duckdns.org.

I am using the acme.sh program as it is simple enough to do what I want. But I was just doing some "testing" using the "staging" server using command:

acme.sh --issue --dns dns_duckdns -d mysubdomain.duckdns.org --test

And it went all fine, but it didn't act as if it was a test, despite the instructions specifically saying add "--test" for test runs. It created the certificates and now wants me to "force renew" when I tried to do a real run. I thought "--test" for was testing and didn't create actual certs or anything. Am I wrong?

Also, it seems like I have no choice on whether to run it through LetsEncrypt servers or through "ZeroSSL" servers. When I ran my line without "test", it would sometimes try to do it via ZeroSSL which was throwing an error because it wanted an email address. Is there a way to force to go via LetsEncrypt and not ZeroSSL?

@Played001Eliminated Welcome to this forum.

I think your questions would be better handled at the github for acme.sh:

But, briefly, the --test issues certificates but from a test or staging server of the CA (ZeroSSL, Letsencrypt, ...). You would not want to use these for a production server. Certbot, another client, has a --dry-run option to test without making a cert but acme.sh does not have this option. Their github has posts requesting this.

acme.sh uses ZeroSSL by default as of Aug1 this year. You can change the default. See this notice:

3 Likes

@Played001Eliminated Also see this post from earlier this morning

It links to a bug report in acme.sh with --staging must appear after --server otherwise staging is ignored

3 Likes

I know this more has to do with acme.sh, but I maybe i can get an answer here.

I was able to successfully create a LetsEncrypt certificate but when I run the command to install the certs:

acme.sh --install-cert -d mydomain.org
--cert-file /etc/nginx/acme.sh/mydomain.org/cert.pem
--key-file /etc/nginx/acme.sh/mydomain.org/key.pem
--fullchain-file /etc/nginx/acme.sh/mydomain.org/fullchain.pem
--reloadcmd "service nginx force-reload"

I get a "permission denied" error. But when I try to get around it by prefixing it all with "sudo", it tells me "sudo: acme.sh: command not found". So I don't know what to do. It's exactly how all the guides are saying to do it, none of them talking about "permission denied". The folders in the etc/nginx already exist too.

Effectively, you most likely have installed acme.sh as a non-root user, but you're trying to access stuff only accessible for priviledged users (the /etc directory is usually protected against write-access for non-priviledged users, the service command is also often restricted).

You can either fix the permissions - ensure your current user has write access to /etc/nginx/acme.sh and/or try replacing the reloadcmd with sudo service nginx force-reload, though that requires that sudo won't ask for a password to run non-interactively.

A different solution would be to switch to the root account (sudo su) and then re-install acme.sh as root (note that this will create a new config directory for acme.sh, so all current certificate configs won't be there). Then you definetly have access to everything, though that also makes mistakes a lot more dangerous and weakens security a bit.

2 Likes

You could resolve this by giving the full path to acme.sh. But again, if you've installed acme.sh as a non-root user, and you want it to be able to modify system files, you're probably doing it wrong, and would be better off re-installing it as root.

1 Like

you can set default ca to letsencrypt:

Here is how to use with sudo:

2 Likes

If you tried it first with --test, you need to repeat all the steps without --test.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.