To order a Let’s Encrypt certificate, you need to add a Zone API key. To add an API key, see the Zone API guide. Add the username and key to the ~/.bash_profile file in SSH. Replace ZONEID_USERNAME with your ZoneID username and ZONEID_APIKEY with your API key:
echo "export ZONE_Username=ZONEID_USERNAME" >> ~/.bash_profile
echo "export ZONE_Key=ZONEID_APIKEY" >> ~/.bash_profile
source ~/.bash_profile
We use the Acme.sh client to order a Let’s Encrypt certificate.
To install the Acme.sh client, run:
cd ~
curl https://get.acme.sh | sh
mkdir ~/bin
ln -s ~/.acme.sh/acme.sh ~/bin/acme.sh
Create ~/certs directory to store certificates.
mkdir ~/certs
Create a certificate. In the following example, replace example.com with your domain. —--reloadcmd is followed by a command that is executed to reload the desired application (Node.js, etc.) to load the new certificate. It may take up to 5 minutes for the name server record to reach the server:
acme.sh --issue -d example.com --dns dns_zone \
--cert-file ~/certs/example.com.cert.pem \
--key-file ~/certs/example.com.key.pem \
--fullchain-file ~/certs/example.com.fullchain.pem \
--reloadcmd "pm2 restart nodejs-rakenduse-nimi"
A Let’s Encrypt certificate is valid for three months, which means it needs to be renewed regularly. To do this, add the following weekly system Crontab job (replace example.com before adding):
source ~/.bash_profile && acme.sh --issue -d example.com --cert-file ~/certs/example.com.cert.pem --key-file ~/certs/example.com.key.pem --fullchain-file ~/certs/example.com.fullchain.pem --dns dns_zone --reloadcmd "pm2 restart nodejs-rakenduse-nimi"
This guide is referenced from Ingmar Aasoja’s guide. Thanks also to tambetliiv for adding Acme.sh Zone API support.