This configures acme.sh to automatically issue certificates using LetsEncrypt with PowerDNS DNS-01 integration. This assumes the user is root.
Set up acme.sh
The quickest way to download acme.sh is to use the following command in the CLI.
curl https://get.acme.sh | sh -s [email protected]
Edit ~/acme.sh/account.conf and add your PowerDNS API information. Your Token will be from PowerDNS itself.
SAVED_PDNS_Url='dns.wenberg.net:8081'
SAVED_PDNS_ServerId='localhost'
SAVED_PDNS_Token='YOUR_API_KEY'
Set up bash script to renew and deploy certificates
When installing acme.sh using the curl command above, it will install a cron job to renew certificates, I like to replace this cron entry with a simple bash script to renew and deploy certificates. The certificate will be stored in /root/.acme.sh/run.sh with the following contents:
#!/bin/bash
/root/.acme.sh/acme.sh --cron --home "/root/.acme.sh"
/root/.acme.sh/acme.sh --install-cert --domain *.wenberg.net --cert-file /etc/nginx/ssl/ssl.pem --key-file /etc/nginx/ssl/key.key --fullchain-file /etc/nginx/ssl/fullchain.pem --reloadcmd "systemctl restart nginx.service"
This script deploys the key and certificates to /etc/nginx/ssl. You can configure this yourself. Finally, it this reloads the service that is using those certificates, in this case, nginx.
Now make it executable.
chmod +x /root/.acme.sh/run.sh
Edit your crontab with:
crontab -e
Replace:
55 22 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
With:
55 22 * * * /root/.acme.sh/run.sh > /dev/null
This points the cron entry to the bash script that was created previously. This cron entry renews and deploys your certificates.
Request a certificate
While in the /root/acme.sh/ directory, run the following command …
./acme.sh --issue --dns dns_pdns -d *.wenberg.net --log --server letsencrypt
The above command requests a wildcard certificate and can be used for any subdomain. You can request multiple Subject Alternative Names (SANs) by issuing additional -d another.domain.com. In this example, we are using LetsEncrypt, but you can also use ZeroSSL, Google, etc.
Test run.sh
Execute run.sh and make sure it completes without errors.
./run.sh
