ACME stands for Automatic Certificate Management Environment and provides an easy-to-use method of automating interactions between a certificate authority (like Let’s Encrypt, or ZeroSSL) and a web server. With ZeroSSL’s ACME feature, you can generate an unlimited amount of 90-day SSL certificates (even multi-domain and wildcard certificates) without any charges.

Create ZeroSSL account

Visit ZeroSSL official site to register an account. All certificates issued with ACME will be stored in your ZeroSSL account dashboard for easy management (after acme.sh register).

Install acme.sh

acme.sh is an ACME protocol client written purely in Shell. It works on any Linux server without special requirements.

Update your Linux repo with latest CA bundle and patches from System Update else some issues will occur when generating your free SSL. Once completed then begin the below procedure.

Now install it from https://get.acme.sh:

curl https://get.acme.sh | sh -s email=<email@exmaple.com>

source ~/.bashrc

# if you're using zsh
# source ~/.zshrc

That’s it. For advanced installation, visit [https://github.com/acmesh-official/acme.sh/wiki/How-to-install] for details.

Then, you can register your ZeroSSL account with acme.sh:

acme.sh --register-account -m <email@example.com> --server zerossl

It’s strongly recommended to enable the auto upgrade acme.sh by:

acme.sh --upgrade --auto-upgrade

Then acme.sh will be kept to the latest release automatically.

Stop auto upgrade by acme.sh --upgrade --auto-upgrade 0.

Config DNS API

Just use Cloudfare as an example, other DNS providers’ configurations can be found at https://github.com/acmesh-official/acme.sh/wiki/dnsapi.

First, you need to log in to your Cloudflare account to get your API key.

You can narrow the Cloudflare’s API token that is only for writing access to Zone.DNS for a single domain, then update variables in your environment by running the following commands in the shell (these variables will be saved by acme.sh):

export CF_Token="xxxxxxxxxxxxxxxxxxxxxxxxxx"
export CF_Account_ID="xxxxxxxxxxxxx"
export CF_Zone_ID="xxxxxxxxxxxxx"

You may not need CF_Zone_ID if your token is set to edit multiple DNS Zones.

Issue a wildcard cert:

Okay, after these configurations we can now issue certs with:

acme.sh --issue --dns dns_cf -d example.com -d *.example.com

The CF_Token, CF_Account_ID, and CF_Zone_ID will be saved in ~/.acme.sh/account.conf and will be reused when needed.

We can also get wildcard certs for subdomains, e.g.:

acme.sh --issue --dns dns_cf -d www.example.com -d *.www.example.com

All issued certificates will be stored in ~/.acme.sh/<example.com>/.

That’s it, for more official support please refer to https://zerossl.com/documentation/acme/.

Install the certs

After the cert is generated, files are stored in ~/.acme.sh/<example.com>/, but it’s NOT recommended to use the certs file in the ~/.acme.sh/ folder, the folder structure may change in the future.

You’d better copy the certs to the target location, or you can use the following commands to copy the certs:

Nginx example:

acme.sh --install-cert -d example.com \
--key-file       /path/to/keyfile/in/nginx/key.pem  \
--fullchain-file /path/to/fullchain/nginx/fullchain.pem \
--reloadcmd     "sudo systemctl restart nginx"

Apache example:

acme.sh --install-cert -d example.com \
--cert-file      /path/to/certfile/in/apache/cert.pem  \
--key-file       /path/to/keyfile/in/apache/key.pem  \
--fullchain-file /path/to/fullchain/certfile/apache/fullchain.pem \
--reloadcmd     "sudo service apache2 force-reload"

The ownership and permission info of existing files are preserved. You can pre-create the files to define the ownership and permissions.

The cert will be renewed every 60 days by default. Once the cert is renewed, the Apache/Nginx service will be reloaded automatically by the --reloadcmd command.

Please take care: The reloadcmd is very important. The cert can be automatically renewed, but, without a correct ‘reloadcmd’ the cert may not be flushed to your server(like nginx or apache), then your website will not be able to show renewed cert in 60 days.

Renew the certs

Indeed, you don’t need to renew the certs manually, all the certs will be renewed automatically every 60 days.

However, you can also force to renew a cert by:

acme.sh --renew -d example.com --force

Stop cert renewal

To stop the automatic renewal of a cert, you can execute the following to remove the cert from the renewal list:

acme.sh --remove -d example.com

The cert or key files are not removed from the local file system, you can remove these files or respective directories (e.g. ~/.acme.sh/example.com) by yourself.