OK, here’s what I had to do:
Look at the contents of “https://get.acme.sh” to make sure it looks sensible.
As root, run
wget -O - https://get.acme.sh | sh
Comment out the entry automatically added to root’s crontab as it won’t work as is.
acme.sh --alpn --issue -d example.com -w /var/www/html
As recommended in the acme.sh docs, create a location to store the new certificate files. I chose:
(which already existed because I’d been using certbot)
so that the files that will be created in this new location are used by apache
Install the newly generated certificate:
acme.sh --install-cert -d example.com \
--cert-file /etc/letsencrypt/acme.sh/cert.pem \
--key-file /etc/letsencrypt/acme.sh/key.pem \
--fullchain-file /etc/letsencrypt/acme.sh/fullchain.pem \
--reloadcmd "service apache2 force-reload"
Test that the certificate was indeed updated just now, and note the SHA1 fingerprinter for future reference.
Create a renewal script:
root@myserver:~# cat /usr/local/sbin/renew_acme.sh.sh
"/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" 2>&1 | mail -s "Ubuntuvm34 acme.sh renewal attempt" email@example.com
And add to root’s crontab
33 16 * * * /usr/local/sbin/renew_acme.sh.sh > /dev/null
and check that it runs and a mail is sent saying that it was skipped and when the next renewal time is.
Test that a new certificate can be successfully issued by temporarily adding “–force” to the acme.sh command in the cronned script. After it runs check that the website is accessible, the certificate was issued today and the SHA1 fingerprint is different (because the certificate has been reissued).
Remove “–force” from the script.