之前使用certbot-auto来生成https证书:免费SSL证书申请,发现续租比较麻烦,支持的dns服务商太少,不支持我的dns服务商
后续找了个acme的脚本比较强大,支持很多服务商,可以自动续租,推荐使用这个。
acme.sh 实现了 acme 协议, 可以从 letsencrypt 生成免费的证书.
主要步骤:
- 安装 acme.sh
- 生成证书
- copy 证书到 nginx/apache 或者其他服务
- 更新证书
- 更新 acme.sh
- 出错怎么办, 如何调试
下面详细介绍.
1. 安装 acme.sh
安装很简单, 一个命令:
1 | curl https://get.acme.sh | sh |
普通用户和 root 用户都可以安装使用. 安装过程进行了以下几步:
- 把 acme.sh 安装到你的 home 目录下:
1 | ~/.acme.sh/ |
并创建 一个 bash 的 alias, 方便你的使用: alias acme.sh=~/.acme.sh/acme.sh
2). 自动为你创建 cronjob, 每天 0:00 点自动检测所有的证书, 如果快过期了, 需要更新, 则会自动更新证书.
更高级的安装选项请参考: https://github.com/Neilpang/acme.sh/wiki/How-to-install
安装过程不会污染已有的系统任何功能和文件, 所有的修改都限制在安装目录中: ~/.acme.sh/
2. 生成证书
acme.sh 实现了 acme 协议支持的所有验证协议. 一般有两种方式验证: http 和 dns 验证.
1. http 方式需要在你的网站根目录下放置一个文件, 来验证你的域名所有权,完成验证. 然后就可以生成证书了.
1 | acme.sh --issue -d mydomain.com -d www.mydomain.com --webroot /home/wwwroot/mydomain.com/ |
只需要指定域名, 并指定域名所在的网站根目录. acme.sh 会全自动的生成验证文件, 并放到网站的根目录, 然后自动完成验证. 最后会聪明的删除验证文件. 整个过程没有任何副作用.
如果你用的 apache服务器, acme.sh 还可以智能的从 apache的配置中自动完成验证, 你不需要指定网站根目录:
1 | acme.sh --issue -d mydomain.com --apache |
如果你用的 nginx服务器, 或者反代, acme.sh 还可以智能的从 nginx的配置中自动完成验证, 你不需要指定网站根目录:
1 | acme.sh --issue -d mydomain.com --nginx |
注意, 无论是 apache 还是 nginx 模式, acme.sh在完成验证之后, 会恢复到之前的状态, 都不会私自更改你本身的配置. 好处是你不用担心配置被搞坏, 也有一个缺点, 你需要自己配置 ssl 的配置, 否则只能成功生成证书, 你的网站还是无法访问https. 但是为了安全, 你还是自己手动改配置吧.
如果你还没有运行任何 web 服务, 80 端口是空闲的, 那么 acme.sh 还能假装自己是一个webserver, 临时听在80 端口, 完成验证:
1 | acme.sh --issue -d mydomain.com --standalone |
更高级的用法请参考: https://github.com/Neilpang/acme.sh/wiki/How-to-issue-a-cert
2. dns 方式, 在域名上添加一条 txt 解析记录, 验证域名所有权.
这种方式的好处是, 你不需要任何服务器, 不需要任何公网 ip, 只需要 dns 的解析记录即可完成验证. 坏处是,如果不同时配置 Automatic DNS API,使用这种方式 acme.sh 将无法自动更新证书,每次都需要手动再次重新解析验证域名所有权。
1 | acme.sh --issue --dns -d mydomain.com |
然后, acme.sh 会生成相应的解析记录显示出来, 你只需要在你的域名管理面板中添加这条 txt 记录即可.
等待解析完成之后, 重新生成证书:
1 | acme.sh --renew -d mydomain.com |
注意第二次这里用的是 --renew
dns 方式的真正强大之处在于可以使用域名解析商提供的 api 自动添加 txt 记录完成验证.
acme.sh 目前支持 cloudflare, dnspod, cloudxns, godaddy 以及 ovh 等数十种解析商的自动集成.
以 dnspod 为例, 你需要先登录到 dnspod 账号, 生成你的 api id 和 api key, 都是免费的. 然后:
1 | export DP_Id="1234" |
证书就会自动生成了. 这里给出的 api id 和 api key 会被自动记录下来, 将来你在使用 dnspod api 的时候, 就不需要再次指定了. 直接生成就好了:
1 | acme.sh --issue -d mydomain2.com --dns dns_dp |
更详细的 api 用法: https://github.com/Neilpang/acme.sh/blob/master/dnsapi/README.md
3. copy/安装 证书
前面证书生成以后, 接下来需要把证书 copy 到真正需要用它的地方.
注意, 默认生成的证书都放在安装目录下: ~/.acme.sh/, 请不要直接使用此目录下的文件, 例如: 不要直接让 nginx/apache 的配置文件使用这下面的文件. 这里面的文件都是内部使用, 而且目录结构可能会变化.
正确的使用方法是使用 --installcert 命令,并指定目标位置, 然后证书文件会被copy到相应的位置, 例如:
1 | acme.sh --installcert -d <domain>.com \ |
(一个小提醒, 这里用的是 service nginx force-reload, 不是 service nginx reload, 据测试, reload 并不会重新加载证书, 所以用的 force-reload)
Nginx 的配置 ssl_certificate 使用 /etc/nginx/ssl/fullchain.cer ,而非 /etc/nginx/ssl/<domain>.cer ,否则 SSL Labs 的测试会报 Chain issues Incomplete 错误。
--installcert命令可以携带很多参数, 来指定目标文件. 并且可以指定 reloadcmd, 当证书更新以后, reloadcmd会被自动调用,让服务器生效.
详细参数请参考: https://github.com/Neilpang/acme.sh#3-install-the-issued-cert-to-apachenginx-etc
值得注意的是, 这里指定的所有参数都会被自动记录下来, 并在将来证书自动更新以后, 被再次自动调用.
4. 更新证书
目前证书在 60 天以后会自动更新, 你无需任何操作. 今后有可能会缩短这个时间, 不过都是自动的, 你不用关心.
5. 更新 acme.sh
目前由于 acme 协议和 letsencrypt CA 都在频繁的更新, 因此 acme.sh 也经常更新以保持同步.
升级 acme.sh 到最新版 :
1 | acme.sh --upgrade |
如果你不想手动升级, 可以开启自动升级:
1 | acme.sh --upgrade --auto-upgrade |
之后, acme.sh 就会自动保持更新了.
你也可以随时关闭自动更新:
1 | acme.sh --upgrade --auto-upgrade 0 |
How to use DNS API
If your dns provider doesn’t provide api access, you can use our dns alias mode:
https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode
1. Use CloudFlare domain API to automatically issue cert
First you need to login to your CloudFlare account to get your API key.
1 | export CF_Key="sdfsdfsdfljlbjkljlkjsdfoiwje" |
Ok, let’s issue a cert now:
1 | acme.sh --issue --dns dns_cf -d example.com -d www.example.com |
The CF_Key and CF_Email will be saved in ~/.acme.sh/account.conf and will be reused when needed.
2. Use DNSPod.cn domain API to automatically issue cert
First you need to login to your DNSPod account to get your API Key and ID.
1 | export DP_Id="1234" |
Ok, let’s issue a cert now:
1 | acme.sh --issue --dns dns_dp -d example.com -d www.example.com |
The DP_Id and DP_Key will be saved in ~/.acme.sh/account.conf and will be reused when needed.
3. Use CloudXNS.com domain API to automatically issue cert
First you need to login to your CloudXNS account to get your API Key and Secret.
1 | export CX_Key="1234" |
Ok, let’s issue a cert now:
1 | acme.sh --issue --dns dns_cx -d example.com -d www.example.com |
The CX_Key and CX_Secret will be saved in ~/.acme.sh/account.conf and will be reused when needed.
4. Use GoDaddy.com domain API to automatically issue cert
First you need to login to your GoDaddy account to get your API Key and Secret.
https://developer.godaddy.com/keys/
Please create a Production key, instead of a Test key.
1 | export GD_Key="sdfsdfsdfljlbjkljlkjsdfoiwje" |
Ok, let’s issue a cert now:
1 | acme.sh --issue --dns dns_gd -d example.com -d www.example.com |
The GD_Key and GD_Secret will be saved in ~/.acme.sh/account.conf and will be reused when needed.
5. Use PowerDNS embedded API to automatically issue cert
First you need to login to your PowerDNS account to enable the API and set your API-Token in the configuration.
https://doc.powerdns.com/md/httpapi/README/
1 | export PDNS_Url="http://ns.example.com:8081" |
Ok, let’s issue a cert now:
1 | acme.sh --issue --dns dns_pdns -d example.com -d www.example.com |
The PDNS_Url, PDNS_ServerId, PDNS_Token and PDNS_Ttl will be saved in ~/.acme.sh/account.conf and will be reused when needed.
6. Use OVH/kimsufi/soyoustart/runabove API to automatically issue cert
https://github.com/Neilpang/acme.sh/wiki/How-to-use-OVH-domain-api
7. Use nsupdate to automatically issue cert
First, generate a key for updating the zone
1 | b=$(dnssec-keygen -a hmac-sha512 -b 512 -n USER -K /tmp foo) |
Include this key in your named configuration
1 | include "/etc/named/keys/update.key"; |
Next, configure your zone to allow dynamic updates.
Depending on your named version, use either
1 | zone "example.com" { |
or
1 | zone "example.com" { |
Finally, make the DNS server and update Key available to acme.sh
1 | export NSUPDATE_SERVER="dns.example.com" |
and optionally (depending on DNS server)
1 | export NSUPDATE_ZONE="example.com" |
Ok, let’s issue a cert now:
1 | acme.sh --issue --dns dns_nsupdate -d example.com -d www.example.com |
The NSUPDATE_SERVER, NSUPDATE_KEY, and NSUPDATE_ZONE settings will be saved in ~/.acme.sh/account.conf and will be reused when needed.
8. Use LuaDNS domain API
Get your API token at https://api.luadns.com/settings
1 | export LUA_Key="sdfsdfsdfljlbjkljlkjsdfoiwje" |
To issue a cert:
1 | acme.sh --issue --dns dns_lua -d example.com -d www.example.com |
The LUA_Key and LUA_Email will be saved in ~/.acme.sh/account.conf and will be reused when needed.
9. Use DNSMadeEasy domain API
Get your API credentials at https://cp.dnsmadeeasy.com/account/info
1 | export ME_Key="sdfsdfsdfljlbjkljlkjsdfoiwje" |
To issue a cert:
1 | acme.sh --issue --dns dns_me -d example.com -d www.example.com |
The ME_Key and ME_Secret will be saved in ~/.acme.sh/account.conf and will be reused when needed.
10. Use Amazon Route53 domain API
https://github.com/Neilpang/acme.sh/wiki/How-to-use-Amazon-Route53-API
1 | export AWS_ACCESS_KEY_ID=XXXXXXXXXX |
To issue a cert:
1 | acme.sh --issue --dns dns_aws -d example.com -d www.example.com |
The AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY will be saved in ~/.acme.sh/account.conf and will be reused when needed.
11. Use Aliyun domain API to automatically issue cert
First you need to login to your Aliyun account to get your API key. https://ak-console.aliyun.com/#/accesskey
1 | export Ali_Key="sdfsdfsdfljlbjkljlkjsdfoiwje" |
Ok, let’s issue a cert now:
1 | acme.sh --issue --dns dns_ali -d example.com -d www.example.com |
The Ali_Key and Ali_Secret will be saved in ~/.acme.sh/account.conf and will be reused when needed.
12. Use ISPConfig 3.1 API
This only works for ISPConfig 3.1 (and newer).
Create a Remote User in the ISPConfig Control Panel. The Remote User must have access to at least DNS zone functions and DNS txt functions.
1 | export ISPC_User="xxx" |
If you have installed ISPConfig on a different port, then alter the 8080 accordingly. Leaver ISPC_Api_Insecure set to 1 if you have not a valid ssl cert for your installation. Change it to 0 if you have a valid ssl cert.
To issue a cert:
1 | acme.sh --issue --dns dns_ispconfig -d example.com -d www.example.com |
The ISPC_User, ISPC_Password, ISPC_Apiand ISPC_Api_Insecure will be saved in ~/.acme.sh/account.conf and will be reused when needed.
13. Use Alwaysdata domain API
First you need to login to your Alwaysdata account to get your API Key.
1 | export AD_API_KEY="myalwaysdataapikey" |
Ok, let’s issue a cert now:
1 | acme.sh --issue --dns dns_ad -d example.com -d www.example.com |
The AD_API_KEY will be saved in ~/.acme.sh/account.conf and will be reused when needed.
14. Use Linode domain API
The tokens created in the classic manager and cloud manager are incompatible with one another. While the classic manager makes an all or nothing API, the newer cloud manager interface promises to produce API keys with a finer permission system. However, either way works just fine.
Classic Manager
Classic Manager: https://manager.linode.com/profile/api
First you need to login to your Linode account to get your API Key.
Then add an API key with label ACME and copy the new key into the following command.
1 | export LINODE_API_KEY="..." |
Due to the reload time of any changes in the DNS records, we have to use the dnssleep option to wait at least 15 minutes for the changes to take effect.
Ok, let’s issue a cert now:
1 | acme.sh --issue --dns dns_linode --dnssleep 900 -d example.com -d www.example.com |
The LINODE_API_KEY will be saved in ~/.acme.sh/account.conf and will be reused when needed.
Cloud Manager
Cloud Manager: https://cloud.linode.com/profile/tokens
First you need to login to your Linode account to get your API Key.
- Click on “Add a Personal Access Token”.
- Give the new key a “Label” (we recommend ACME)
- Give it Read/Write access to “Domains”
- “Submit” and copy the new key into the
LINODE_V4_API_KEYcommand below.
1 | export LINODE_V4_API_KEY="..." |
Due to the reload time of any changes in the DNS records, we have to use the dnssleep option to wait at least 15 minutes for the changes to take effect.
Ok, let’s issue a cert now:
1 | acme.sh --issue --dns dns_linode_v4 --dnssleep 900 -d example.com -d www.example.com |
The LINODE_V4_API_KEY will be saved in ~/.acme.sh/account.conf and will be reused when needed.
15. Use FreeDNS
FreeDNS (https://freedns.afraid.org/) does not provide an API to update DNS records (other than IPv4 and IPv6 dynamic DNS addresses). The acme.sh plugin therefore retrieves and updates domain TXT records by logging into the FreeDNS website to read the HTML and posting updates as HTTP. The plugin needs to know your userid and password for the FreeDNS website.
1 | export FREEDNS_User="..." |
You need only provide this the first time you run the acme.sh client with FreeDNS validation and then again whenever you change your password at the FreeDNS site. The acme.sh FreeDNS plugin does not store your userid or password but rather saves an authentication token returned by FreeDNS in ~/.acme.sh/account.conf and reuses that when needed.
Now you can issue a certificate.
1 | acme.sh --issue --dns dns_freedns -d example.com -d www.example.com |
Note that you cannot use acme.sh automatic DNS validation for FreeDNS public domains or for a subdomain that you create under a FreeDNS public domain. You must own the top level domain in order to automatically validate with acme.sh at FreeDNS.
16. Use cyon.ch
You only need to set your cyon.ch login credentials. If you also have 2 Factor Authentication (OTP) enabled, you need to set your secret token too and have oathtool installed.
1 | export CY_Username="your_cyon_username" |
To issue a cert:
1 | acme.sh --issue --dns dns_cyon -d example.com -d www.example.com |
The CY_Username, CY_Password and CY_OTP_Secret will be saved in ~/.acme.sh/account.conf and will be reused when needed.
17. Use Domain-Offensive/Resellerinterface/Domainrobot API
ATTENTION: You need to be a registered Reseller to be able to use the ResellerInterface. As a normal user you can not use this method.
You will need your login credentials (Partner ID+Password) to the Resellerinterface, and export them before you run acme.sh:
1 | export DO_PID="KD-1234567" |
Ok, let’s issue a cert now:
1 | acme.sh --issue --dns dns_do -d example.com -d www.example.com |
18. Use Gandi LiveDNS API
You must enable the new Gandi LiveDNS API first and the create your api key, See: http://doc.livedns.gandi.net/
1 | export GANDI_LIVEDNS_KEY="fdmlfsdklmfdkmqsdfk" |
Ok, let’s issue a cert now:
1 | acme.sh --issue --dns dns_gandi_livedns -d example.com -d www.example.com |
19. Use Knot (knsupdate) DNS API to automatically issue cert
First, generate a TSIG key for updating the zone.
1 | keymgr tsig generate -t acme_key hmac-sha512 > /etc/knot/acme.key |
Include this key in your knot configuration file.
1 | include: /etc/knot/acme.key |
Next, configure your zone to allow dynamic updates.
Dynamic updates for the zone are allowed via proper ACL rule with the update action. For in-depth instructions, please see Knot DNS’s documentation.
1 | acl: |
Finally, make the DNS server and TSIG Key available to acme.sh
1 | export KNOT_SERVER="dns.example.com" |
Ok, let’s issue a cert now:
1 | acme.sh --issue --dns dns_knot -d example.com -d www.example.com |
The KNOT_SERVER and KNOT_KEY settings will be saved in ~/.acme.sh/account.conf and will be reused when needed.
20. Use DigitalOcean API (native)
You need to obtain a read and write capable API key from your DigitalOcean account. See: https://www.digitalocean.com/help/api/
1 | export DO_API_KEY="75310dc4ca779ac39a19f6355db573b49ce92ae126553ebd61ac3a3ae34834cc" |
Ok, let’s issue a cert now:
1 | acme.sh --issue --dns dns_dgon -d example.com -d www.example.com |
21. Use ClouDNS.net API
You need to set the HTTP API user ID and password credentials. See: https://www.cloudns.net/wiki/article/42/. For security reasons, it’s recommended to use a sub user ID that only has access to the necessary zones, as a regular API user has access to your entire account.
1 | # Use this for a sub auth ID |
Ok, let’s issue a cert now:
1 | acme.sh --issue --dns dns_cloudns -d example.com -d www.example.com |
The CLOUDNS_AUTH_ID and CLOUDNS_AUTH_PASSWORD will be saved in ~/.acme.sh/account.confand will be reused when needed.
22. Use Infoblox API
First you need to create/obtain API credentials on your Infoblox appliance.
1 | export Infoblox_Creds="username:password" |
Ok, let’s issue a cert now:
1 | acme.sh --issue --dns dns_infoblox -d example.com -d www.example.com |
Note: This script will automatically create and delete the ephemeral txt record. The Infoblox_Creds and Infoblox_Server will be saved in ~/.acme.sh/account.conf and will be reused when needed.
23. Use VSCALE API
First you need to create/obtain API tokens on your settings panel.
1 | export VSCALE_API_KEY="sdfsdfsdfljlbjkljlkjsdfoiwje" |
Ok, let’s issue a cert now:
1 | acme.sh --issue --dns dns_vscale -d example.com -d www.example.com |
24. Use Dynu API
First you need to create/obtain API credentials from your Dynu account. See: https://www.dynu.com/resources/api/documentation
1 | export Dynu_ClientId="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" |
Ok, let’s issue a cert now:
1 | acme.sh --issue --dns dns_dynu -d example.com -d www.example.com |
The Dynu_ClientId and Dynu_Secret will be saved in ~/.acme.sh/account.conf and will be reused when needed.
25. Use DNSimple API
First you need to login to your DNSimple account and generate a new oauth token.
https://dnsimple.com/a/{your account id}/account/access_tokens
Note that this is an account token and not a user token. The account token is needed to infer the account_id used in requests. A user token will not be able to determine the correct account to use.
1 | export DNSimple_OAUTH_TOKEN="sdfsdfsdfljlbjkljlkjsdfoiwje" |
To issue the cert just specify the dns_dnsimple API.
1 | acme.sh --issue --dns dns_dnsimple -d example.com |
The DNSimple_OAUTH_TOKEN will be saved in ~/.acme.sh/account.conf and will be reused when needed.
If you have any issues with this integration please report them tohttps://github.com/pho3nixf1re/acme.sh/issues.
26. Use NS1.com API
1 | export NS1_Key="fdmlfsdklmfdkmqsdfk" |
Ok, let’s issue a cert now:
1 | acme.sh --issue --dns dns_nsone -d example.com -d www.example.com |
27. Use DuckDNS.org API
1 | export DuckDNS_Token="aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee" |
Please note that since DuckDNS uses StartSSL as their cert provider, thus –insecure may need to be used when issuing certs:
1 | acme.sh --insecure --issue --dns dns_duckdns -d mydomain.duckdns.org |
For issues, please report to https://github.com/raidenii/acme.sh/issues.
28. Use Name.com API
Create your API token here: https://www.name.com/account/settings/api
Note: Namecom_Username should be your Name.com username and not the token name. If you accidentally run the script with the token name as the username see ~/.acme.sh/account.confto fix the issue
1 | export Namecom_Username="testuser" |
And now you can issue certs with:
1 | acme.sh --issue --dns dns_namecom -d example.com -d www.example.com |
For issues, please report to https://github.com/raidenii/acme.sh/issues.
29. Use Dyn Managed DNS API to automatically issue cert
First, login to your Dyn Managed DNS account: https://portal.dynect.net/login/
It is recommended to add a new user specific for API access.
The minimum “Zones & Records Permissions” required are:
1 | RecordAdd |
Pass the API user credentials to the environment:
1 | export DYN_Customer="customer" |
Ok, let’s issue a cert now:
1 | acme.sh --issue --dns dns_dyn -d example.com -d www.example.com |
The DYN_Customer, DYN_Username and DYN_Password will be saved in ~/.acme.sh/account.conf and will be reused when needed.
30. Use pdd.yandex.ru API
1 | export PDD_Token="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" |
Follow these instructions to get the token for your domain https://tech.yandex.com/domain/doc/concepts/access-docpage/
1 | acme.sh --issue --dns dns_yandex -d mydomain.example.org |
For issues, please report to https://github.com/non7top/acme.sh/issues.
31. Use Hurricane Electric
Hurricane Electric (https://dns.he.net/) doesn’t have an API so just set your login credentials like so:
1 | export HE_Username="yourusername" |
Then you can issue your certificate:
1 | acme.sh --issue --dns dns_he -d example.com -d www.example.com |
The HE_Username and HE_Password settings will be saved in ~/.acme.sh/account.conf and will be reused when needed.
Please report any issues to https://github.com/angel333/acme.sh or to [email protected].
32. Use UnoEuro API to automatically issue cert
First you need to login to your UnoEuro account to get your API key.
1 | export UNO_Key="sdfsdfsdfljlbjkljlkjsdfoiwje" |
Ok, let’s issue a cert now:
1 | acme.sh --issue --dns dns_unoeuro -d example.com -d www.example.com |
The UNO_Key and UNO_User will be saved in ~/.acme.sh/account.conf and will be reused when needed.
33. Use INWX
INWX offers an xmlrpc api with your standard login credentials, set them like so:
1 | export INWX_User="yourusername" |
Then you can issue your certificates with:
1 | acme.sh --issue --dns dns_inwx -d example.com -d www.example.com |
The INWX_User and INWX_Password settings will be saved in ~/.acme.sh/account.conf and will be reused when needed.
If your account is secured by mobile tan you have also defined the shared secret.
1 | export INWX_Shared_Secret="shared secret" |
You may need to re-enable the mobile tan to gain the shared secret.
34. User Servercow API v1
Create a new user from the servercow control center. Don’t forget to activate DNS API for this user.
1 | export SERVERCOW_API_Username=username |
Now you cann issue a cert:
1 | acme.sh --issue --dns dns_servercow -d example.com -d www.example.com |
Both, SERVERCOW_API_Username and SERVERCOW_API_Password will be saved in ~/.acme.sh/account.conf and will be reused when needed.
35. Use Namesilo.com API
You’ll need to generate an API key at https://www.namesilo.com/account_api.php Optionally you may restrict the access to an IP range there.
1 | export Namesilo_Key="xxxxxxxxxxxxxxxxxxxxxxxx" |
And now you can issue certs with:
1 | acme.sh --issue --dns dns_namesilo --dnssleep 900 -d example.com -d www.example.com |
36. Use autoDNS (InternetX)
InternetX offers an xml api with your standard login credentials, set them like so:
1 | export AUTODNS_USER="yourusername" |
Then you can issue your certificates with:
1 | acme.sh --issue --dns dns_autodns -d example.com -d www.example.com |
The AUTODNS_USER, AUTODNS_PASSWORD and AUTODNS_CONTEXT settings will be saved in ~/.acme.sh/account.conf and will be reused when needed.
37. Use Azure DNS
You have to create a service principal first. See:How to use Azure DNS
1 | export AZUREDNS_SUBSCRIPTIONID="12345678-9abc-def0-1234-567890abcdef" |
Then you can issue your certificates with:
1 | acme.sh --issue --dns dns_azure -d example.com -d www.example.com |
AZUREDNS_SUBSCRIPTIONID, AZUREDNS_TENANTID,AZUREDNS_APPID and AZUREDNS_CLIENTSECRETsettings will be saved in ~/.acme.sh/account.conf and will be reused when needed.
38. Use selectel.com(selectel.ru) domain API to automatically issue cert
First you need to login to your account to get your API key from: https://my.selectel.ru/profile/apikeys.
1 | export SL_Key="sdfsdfsdfljlbjkljlkjsdfoiwje" |
Ok, let’s issue a cert now:
1 | acme.sh --issue --dns dns_selectel -d example.com -d www.example.com |
The SL_Key will be saved in ~/.acme.sh/account.conf and will be reused when needed.
39. Use zonomi.com domain API to automatically issue cert
First you need to login to your account to find your API key from: http://zonomi.com/app/dns/dyndns.jsp
Your will find your api key in the example urls:
1 | https://zonomi.com/app/dns/dyndns.jsp?host=example.com&api_key=1063364558943540954358668888888888 |
Ok, let’s issue a cert now:
1 | acme.sh --issue --dns dns_zonomi -d example.com -d www.example.com |
The ZM_Key will be saved in ~/.acme.sh/account.conf and will be reused when needed.
40. Use DreamHost DNS API
DNS API keys may be created at https://panel.dreamhost.com/?tree=home.api. Ensure the created key has add and remove privelages.
1 | export DH_API_KEY="<api key>" |
The ‘DH_API_KEY’ will be saved in ~/.acme.sh/account.conf and will be reused when needed.
41. Use DirectAdmin API
The DirectAdmin interface has it’s own Let’s encrypt functionality, but this script can be used to generate certificates for names which are not hosted on DirectAdmin
User must provide login data and URL to the DirectAdmin incl. port. You can create an user which only has access to
- CMD_API_DNS_CONTROL
- CMD_API_SHOW_DOMAINS
By using the Login Keys function. See also https://www.directadmin.com/api.php and https://www.directadmin.com/features.php?id=1298
1 | export DA_Api="https://remoteUser:[email protected]:8443" |
Set DA_Api_Insecure to 1 for insecure and 0 for secure -> difference is whether ssl cert is checked for validity (0) or whether it is just accepted (1)
Ok, let’s issue a cert now:
1 | acme.sh --issue --dns dns_da -d example.com -d www.example.com |
The DA_Api and DA_Api_Insecure will be saved in ~/.acme.sh/account.conf and will be reused when needed.
42. Use KingHost DNS API
API access must be enabled at https://painel.kinghost.com.br/painel.api.php
1 | export KINGHOST_Username="yourusername" |
The KINGHOST_username and KINGHOST_Password will be saved in ~/.acme.sh/account.confand will be reused when needed.
43. Use Zilore DNS API
First, get your API key at https://my.zilore.com/account/api
1 | export Zilore_Key="5dcad3a2-36cb-50e8-cb92-000002f9" |
Ok, let’s issue a cert now:
1 | acme.sh --issue --dns dns_zilore -d example.com -d *.example.com |
The Zilore_Key will be saved in ~/.acme.sh/account.conf and will be reused when needed.
44. Use Loopia.se API
User must provide login credentials to the Loopia API. The user needs the following permissions:
- getDomains
- getSubdomains
- addSubdomain
- removeSubdomain
- getZoneRecords
- addZoneRecord
Set the login credentials:
1 | export LOOPIA_User="[email protected]" |
And to issue a cert:
1 | acme.sh --issue --dns dns_loopia -d example.com -d *.example.com |
The username and password will be saved in ~/.acme.sh/account.conf and will be reused when needed.
45. Use ACME DNS API
ACME DNS is a limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely. https://github.com/joohoi/acme-dns
1 | export ACMEDNS_UPDATE_URL="https://auth.acme-dns.io/update" |
The credentials will be saved in ~/.acme.sh/account.conf and will be reused when needed.
46. Use TELE3 API
First you need to login to your TELE3 account to set your API-KEY. https://www.tele3.cz/system-acme-api.html
1 | export TELE3_Key="MS2I4uPPaI..." |
The TELE3_Key and TELE3_Secret will be saved in ~/.acme.sh/account.conf and will be reused when needed.
47. Use Euserv.eu API
First you need to login to your euserv.eu account and activate your API Administration (API Verwaltung). https://support.euserv.com
Once you’ve activate, login to your API Admin Interface and create an API account. Please specify the scope (active groups: domain) and assign the allowed IPs.
1 | export EUSERV_Username="99999.user123" |
Ok, let’s issue a cert now: (Be aware to use the --insecure flag, cause euserv.eu is still using self-signed certificates!)
1 | acme.sh --issue --dns dns_euserv -d example.com -d *.example.com --insecure |
The EUSERV_Username and EUSERV_Password will be saved in ~/.acme.sh/account.conf and will be reused when needed.
Please report any issues to https://github.com/initit/acme.sh or to [email protected]
48. Use DNSPod.com domain API to automatically issue cert
First you need to get your API Key and ID by this get-the-user-token.
1 | export DPI_Id="1234" |
Ok, let’s issue a cert now:
1 | acme.sh --issue --dns dns_dpi -d example.com -d www.example.com |
The DPI_Id and DPI_Key will be saved in ~/.acme.sh/account.conf and will be reused when needed.
49. Use Google Cloud DNS API to automatically issue cert
First you need to authenticate to gcloud.
1 | gcloud init |
The dns_gcloud script uses the active gcloud configuration and credentials. There is no logic inside dns_gcloud to override the project and other settings. If needed, create additional gcloud configurations. You can change the configuration being used without activating it; simply set the CLOUDSDK_ACTIVE_CONFIG_NAME environment variable.
To issue a certificate you can:
1 | export CLOUDSDK_ACTIVE_CONFIG_NAME=default # see the note above |
dns_gcloud also supports DNS alias mode.
50. Use ConoHa API
First you need to login to your ConoHa account to get your API credentials.
1 | export CONOHA_Username="xxxxxx" |
To issue a cert:
1 | acme.sh --issue --dns dns_conoha -d example.com -d www.example.com |
The CONOHA_Username, CONOHA_Password, CONOHA_TenantId and CONOHA_IdentityServiceApiwill be saved in ~/.acme.sh/account.conf and will be reused when needed.
51. Use netcup DNS API to automatically issue cert
First you need to login in your CCP account to get your API Key and API Password.
1 | export NC_Apikey="<Apikey>" |
Now, let’s issue a cert:
1 | acme.sh --issue --dns dns_netcup -d example.com -d www.example.com |
The NC_Apikey,NC_Apipw and NC_CID will be saved in ~/.acme.sh/account.conf and will be reused when needed.
52. Use GratisDNS.dk
GratisDNS.dk (https://gratisdns.dk/) does not provide an API to update DNS records (other than IPv4 and IPv6 dynamic DNS addresses). The acme.sh plugin therefore retrieves and updates domain TXT records by logging into the GratisDNS website to read the HTML and posting updates as HTTP. The plugin needs to know your userid and password for the GratisDNS website.
1 | export GDNSDK_Username="..." |
The username and password will be saved in ~/.acme.sh/account.conf and will be reused when needed.
Now you can issue a certificate.
Note: It usually takes a few minutes (usually 3-4 minutes) before the changes propagates to gratisdns.dk nameservers (ns3.gratisdns.dk often are slow), and in rare cases I have seen over 5 minutes before google DNS catches it. Therefor a DNS sleep of at least 300 seconds are recommended-
1 | acme.sh --issue --dns dns_gdnsdk --dnssleep 300 -d example.com -d *.example.com |
53. Use Namecheap
You will need your namecheap username, API KEY (https://www.namecheap.com/support/api/intro.aspx) and your external IP address (or an URL to get it), this IP will need to be whitelisted at Namecheap. Due to Namecheap’s API limitation all the records of your domain will be read and re applied, make sure to have a backup of your records you could apply if any issue would arise.
1 | export NAMECHEAP_USERNAME="..." |
NAMECHEAP_SOURCEIP can either be an IP address or an URL to provide it (e.g. https://ifconfig.co/ip).
The username and password will be saved in ~/.acme.sh/account.conf and will be reused when needed.
Now you can issue a certificate.
1 | acme.sh --issue --dns dns_namecheap -d example.com -d *.example.com |
54. Use MyDNS.JP API
First, register to MyDNS.JP and get MasterID and Password.
1 | export MYDNSJP_MasterID=MasterID |
To issue a certificate:
1 | acme.sh --issue --dns dns_mydnsjp -d example.com -d www.example.com |
The MYDNSJP_MasterID and MYDNSJP_Password will be saved in ~/.acme.sh/account.conf and will be reused when needed.
55. Use hosting.de API
Create an API key in your hosting.de account here: https://secure.hosting.de
The key needs the following rights:
- DNS_ZONES_EDIT
- DNS_ZONES_LIST
Set your API Key and endpoint:
1 | export HOSTINGDE_APIKEY='xxx' |
The plugin can also be used for the http.net API. http.net customers have to set endpoint to https://partner.http.net.
Ok, let’s issue a cert now:
1 | acme.sh --issue --dns dns_hostingde -d example.com -d *.example.com |
The hosting.de API key and endpoint will be saved in ~/.acme.sh/account.conf and will be reused when needed.
56. Use Neodigit.net API
1 | export NEODIGIT_API_TOKEN="eXJxTkdUVUZmcHQ3QWJackQ4ZGlMejRDSklRYmo5VG5zcFFKK2thYnE0WnVnNnMy" |
Ok, let’s issue a cert now:
1 | acme.sh --issue --dns dns_neodigit -d example.com -d www.example.com |
Neodigit API Token will be saved in ~/.acme.sh/account.conf and will be used when needed.
57. Use Exoscale API
Create an API key and secret key in the Exoscale account section
Set your API and secret key:
1 | export EXOSCALE_API_KEY='xxx' |
Now, let’s issue a cert:
1 | acme.sh --issue --dns dns_exoscale -d example.com -d www.example.com |
The EXOSCALE_API_KEY and EXOSCALE_SECRET_KEY will be saved in ~/.acme.sh/account.confand will be reused when needed.
58. Using PointHQ API to issue certs
Log into PointHQ account management and copy the API key from the page there.
1 | exportPointHQ_Email="[email protected]" |
You can then issue certs by using:
1 |
59. Use Active24 API
Create an API token in the Active24 account section, documentation on https://faq.active24.com/cz/790131-REST-API-rozhran%C3%AD.
Set your API token:
1 | export ACTIVE24_Token='xxx' |
Now, let’s issue a cert, set dnssleep for propagation new DNS record:
1 | acme.sh --issue --dns dns_active24 -d example.com -d www.example.com --dnssleep 1000 |
The ACTIVE24_Token will be saved in ~/.acme.sh/account.conf and will be reused when needed.
60. Use do.de API
Create an API token in your do.de account (Create token here | Documentation).
Set your API token:
1 | export DO_LETOKEN='FmD408PdqT1E269gUK57' |
To issue a certificate run:
1 | acme.sh --issue --dns dns_doapi -d example.com -d *.example.com |
The API token will be saved in ~/.acme.sh/account.conf and will be reused when needed.
61. Use Nexcess API
First, you’ll need to login to the Nexcess.net Client Portal and generate a new API token.
Once you have a token, set it in your systems environment:
1 | export NW_API_TOKEN="YOUR_TOKEN_HERE" |
Finally, we’ll issue the certificate: (Nexcess DNS publishes at max every 15 minutes, we recommend setting a 900 second --dnssleep)
1 | acme.sh --issue --dns dns_nw -d example.com --dnssleep 900 |
The NW_API_TOKEN and NW_API_ENDPOINT will be saved in ~/.acme.sh/account.conf and will be reused when needed.
62. Use Thermo.io API
First, you’ll need to login to the Thermo.io Client Portal and generate a new API token.
Once you have a token, set it in your systems environment:
1 | export NW_API_TOKEN="YOUR_TOKEN_HERE" |
Finally, we’ll issue the certificate: (Thermo DNS publishes at max every 15 minutes, we recommend setting a 900 second --dnssleep)
1 | acme.sh --issue --dns dns_nw -d example.com --dnssleep 900 |
The NW_API_TOKEN and NW_API_ENDPOINT will be saved in ~/.acme.sh/account.conf and will be reused when needed.
63. Use Futurehosting API
First, you’ll need to login to the Futurehosting Client Portal and generate a new API token.
Once you have a token, set it in your systems environment:
1 | export NW_API_TOKEN="YOUR_TOKEN_HERE" |
Finally, we’ll issue the certificate: (Futurehosting DNS publishes at max every 15 minutes, we recommend setting a 900 second --dnssleep)
1 | acme.sh --issue --dns dns_nw -d example.com --dnssleep 900 |
The NW_API_TOKEN and NW_API_ENDPOINT will be saved in ~/.acme.sh/account.conf and will be reused when needed.
64. Use Rackspace API
Set username and API key, which is available under “My Profile & Settings”
1 | export RACKSPACE_Username='username' |
Now, let’s issue a cert:
1 | acme.sh --issue --dns dns_rackspace -d example.com -d www.example.com |
65. Use Online API
First, you’ll need to retrive your API key, which is available under https://console.online.net/en/api/access
1 | export ONLINE_API_KEY='xxx' |
To issue a cert run:
1 | acme.sh --issue --dns dns_online -d example.com -d www.example.com |
ONLINE_API_KEY will be saved in ~/.acme.sh/account.conf and will be reused when needed.
66. Use MyDevil.net
Make sure that you can execute own binaries:
1 | devil binexec on |
Install acme.sh, or simply git clone it into some directory on your MyDevil host account (in which case you should link to it from your ~/bin directory).
If you’re not using private IP and depend on default IP provided by host, you may want to edit crontab too, and make sure that acme.sh --cron is run also after reboot (you can find out how to do that on their wiki pages).
To issue a new certificate, run:
1 | acme.sh --issue --dns dns_mydevil -d example.com -d *.example.com |
After certificate is ready, you can install it with deploy command.
67. Use Core-Networks API to automatically issue cert
First you need to login to your Core-Networks account to to set up an API-User. Then export username and password to use these credentials.
1 | export CN_User="user" |
Ok, let’s issue a cert now:
1 | acme.sh --issue --dns dns_cn -d example.com -d www.example.com |
The CN_User and CN_Password will be saved in ~/.acme.sh/account.conf and will be reused when needed.
68. Use NederHost API
Create an API token in Mijn NederHost.
Set your API key:
1 | export NederHost_Key='xxx' |
To issue a certificate run:
1 | acme.sh --issue --dns dns_nederhost -d example.com -d *.example.com |
69. Use Zone.ee DNS API
First, you’ll need to retrive your API key. Estonian insructions https://help.zone.eu/kb/zoneid-api-v2/
1 | export ZONE_Username=yourusername |
To issue a cert run:
1 | acme.sh --issue -d example.com -d www.example.com --dns dns_zone |
ZONE_Username and ZONE_Key will be saved in ~/.acme.sh/account.conf and will be reused when needed.
70. Use UltraDNS API
UltraDNS is a paid for service that provides DNS, as well as Web and Mail forwarding (as well as reporting, auditing, and advanced tools).
More information can be found here: https://www.security.neustar/lp/ultra20/index.html
The REST API documentation for this service is found here: https://portal.ultradns.com/static/docs/REST-API_User_Guide.pdf
Set your UltraDNS User name, and password; these would be the same you would use here:
https://portal.ultradns.com/ - or if you create an API only user, that username and password would be better utilized.
1 | export ULTRA_USR="abcd" |
ULTRA_USR and ULTRA_PWD will be saved in ~/.acme.sh/account.conf and will be resued when needed.
71. Use deSEC.io
Sign up for dynDNS at https://desec.io first.
Set your API token (password) and domain (username) from your email sent by desec.io
1 | export DEDYN_TOKEN=d41d8cd98f00b204e9800998ecf8427e |
To issue a certificate run:
1 | acme.sh --issue --dns dns_desec -d foobar.dedyn.io -d *.foobar.dedyn.io |
72. Use OpenProvider API
First, you need to enable API access and retrieve your password hash on https://rcp.openprovider.eu/account/dashboard.php
1 | export OPENPROVIDER_USER='username' |
OPENPROVIDER_USER and OPENPROVIDER_PASSWORDHASH will be saved in ~/.acme.sh/account.conf and will be reused when needed.