en English
X

Select Language

Powered by Google TranslateTranslate

We hope you will find the Google translation service helpful, but we don’t promise that Google’s translation will be accurate or complete. You should not rely on Google’s translation. English is the official language of our site.

en English
X

Select Language

Powered by Google TranslateTranslate

We hope you will find the Google translation service helpful, but we don’t promise that Google’s translation will be accurate or complete. You should not rely on Google’s translation. English is the official language of our site.

ACME SSL/TLS Automation with Apache and Nginx

This how-to will walk you through setting up automated certificate installation and renewal with SSL.com for Apache and NGINX with the ACME protocol and Certbot client.

Note: You will need SSH access and sudo privileges on your web server to follow these instructions.

Install Certbot and Retrieve ACME Credentials

  1. SSH into your web server.
  2. Make sure that a current version of Certbot, along with the Apache and Nginx plugins, are installed on your web server:
    • If you have snapd installed, you can use this command for installation:
      sudo snap install --classic certbot
    • If /snap/bin/ is not in your PATH, you will also need add it or run a command like this:
      sudo ln -s /snap/bin/certbot /usr/bin/certbot
  3. Retrieve your ACME credentials from your SSL.com account:
    1. Log into your SSL.com account. If you are already logged in, go to the Dashboard tab.
      Dashboard
    2. Click api credentials, located under developers and integration.
      API credentials link
    3. You will need your Account/ACME Key and HMAC Key to request certificates. Click the clipboard icon () next to each key to copy the value to the clipboard.
      Account/ACME Key and HMAC Key

Apache Installation and Automation

Use a command like this to install on Apache. Replace values in ALL CAPS with your actual values:

sudo certbot --apache --email EMAIL-ADDRESS --agree-tos --no-eff-email --manual-public-ip-logging-ok --config-dir /etc/ssl-com --logs-dir /var/log/ssl-com --eab-kid ACCOUNT-KEY --eab-hmac-key HMAC-KEY --server https://acme.ssl.com/sslcom-dv-rsa/ -d DOMAIN.NAME

Breaking the command down:

  • sudo certbot runs the certbot command with superuser privileges.
  • --apache specifies to install certificates for use with Apache.
  • --email EMAIL-ADDRESS provides a registration email address. You may specify multiple addresses, separated by commas.
  • --agree-tos (optional) agrees to the ACME subscriber agreement. You can omit this if you want to agree interactively.
  • --no-eff-email (optional) indicates that you do not want share your email address with the EFF. If you omit this you will be prompted with the option to share your email address.
  • --manual-public-ip-logging-ok (optional) automatically allows public IP logging. If you skip this option, you will receive a prompt asking if you wish to allow it. Public IP logging is not required.
  • --config-dir /etc/ssl-com (optional) sets the configuration directory.
  • --logs-dir /var/log/ssl-com (optional) sets the directory for logs.
  • --eab-kid ACCOUNT-KEY specifies your account key.
  • --eab-hmac-key HMAC-KEY specifies your HMAC key.
  • --server https://acme.ssl.com/sslcom-dv-rsa/directory specifies SSL.com’s ACME server.
  • -d DOMAIN.NAME specifies the domain name that the certificate will cover.
Note: You can use the -d DOMAIN.NAME option multiple times in your command to add domain names to your certificate. Please see our information on certificate types and billing to see how different combinations of domain names map to SSL.com certificate types and their corresponding pricing.

You should see output like this after you run the command:

Saving debug log to /var/log/ssl-com/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for DOMAIN.NAME
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/DOMAIN-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/DOMAIN-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/DOMAIN-le-ssl.conf
Redirecting vhost in /etc/apache2/sites-enabled/DOMAIN.NAME.conf to ssl vhost in /etc/apache2/sites-available/DOMAIN-le-ssl.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://DOMAIN.NAME
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Certbot will also create a crontab file like this for automated non-interactive renewal of any certbot-installed certificate expiring within 30 days:

$ cat /etc/cron.d/certbot
# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc.  Renewal will only occur if expiration
# is within 30 days.
#
# Important Note!  This cronjob will NOT be executed if you are
# running systemd as your init system.  If you are running systemd,
# the cronjob.timer function takes precedence over this cronjob.  For
# more details, see the systemd.timer manpage, or use systemctl show
# certbot.timer.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew
Note: All SSL/TLS certificates issued via ACME by SSL.com have a one-year lifetime.

Nginx Installation and Automation

For Nginx, simply substitute --nginx for --apache in the command shown above:

sudo certbot --nginx --email EMAIL-ADDRESS --agree-tos --no-eff-email --manual-public-ip-logging-ok --config-dir /etc/ssl-com --logs-dir /var/log/ssl-com --eab-kid ACCOUNT-KEY --eab-hmac-key HMAC-KEY --server https://acme-qa.ssl.com/sslcom-dv-rsa/directory -d DOMAIN.NAME

Force Renewal Manually

If you wish to manually renew a certificate before expiry is imminent, use this command:

certbot renew --force-renewal --cert-name DOMAIN.NAME

SSL.com provides a wide variety of SSL/TLS server certificates for HTTPS websites.

COMPARE SSL/TLS CERTIFICATES

Subscribe to SSL.com’s Newsletter

Don’t miss new articles and updates from SSL.com