ACME SSL/TLS Automation with Apache and Nginx

How to use the ACME protocol to automate SSL/TLS certificates from SSL.com on the Apache and Nginx web servers.

Related Content

Want to keep learning?

Subscribe to SSL.com’s newsletter, stay informed and secure.

Copy article link

This how-to will walk you through setting up automated certificate installation and renewal with SSL.com for Apache and Nginx with the ACME protocol and Certbot client.

Note: You will need SSH access and sudo privileges on your web server to follow these instructions.
Note:
You can use many other ACME clients, including Kubernetes cert-manager, with SSL.com’s ACME service.
acme4j  client can now use SSL.com ACME services on this repository: https://github.com/SSLcom/acme4j
Please refer to your software provider’s documentation for instructions for other non-Certbot ACME clients.

Install Certbot and Retrieve ACME Credentials

  1. SSH into your web server.
  2. Make sure that a current version of Certbot, along with the Apache and Nginx plugins, are installed on your web server:
    • If you have snapd installed, you can use this command for installation: 
      sudo snap install --classic certbot
    • If /snap/bin/ is not in your PATH, you will also need add it or run a command like this: 
      sudo ln -s /snap/bin/certbot /usr/bin/certbot
  3. Retrieve your ACME credentials from your SSL.com account:
    1. Log into your SSL.com account. If you are already logged in, go to the Dashboard tab.
      Dashboard
    2. Click api credentials, located under developers and integration.
      API credentials link
    3. You will need your Account/ACME Key and HMAC Key to request certificates. Click the clipboard icon () next to each key to copy the value to the clipboard.
      Account/ACME Key and HMAC Key
Go to top

Apache Installation and Automation

Use a command like this to install on Apache. Replace values in ALL CAPS with your actual values:

sudo certbot --apache --email EMAIL-ADDRESS --agree-tos --no-eff-email --config-dir /etc/ssl-com --logs-dir /var/log/ssl-com --eab-kid ACCOUNT-KEY --eab-hmac-key HMAC-KEY --server https://acme.ssl.com/sslcom-dv-ecc -d DOMAIN.NAME

Breaking the command down:

  • sudo certbot runs the certbot command with superuser privileges.
  • --apache specifies to install certificates for use with Apache.
  • --email EMAIL-ADDRESS provides a registration email address. You may specify multiple addresses, separated by commas.
  • --agree-tos (optional) agrees to the ACME subscriber agreement. You can omit this if you want to agree interactively.
  • --no-eff-email (optional) indicates that you do not want share your email address with the EFF. If you omit this you will be prompted with the option to share your email address.
  • --config-dir /etc/ssl-com (optional) sets the configuration directory.
  • --logs-dir /var/log/ssl-com (optional) sets the directory for logs.
  • --eab-kid ACCOUNT-KEY specifies your account key.
  • --eab-hmac-key HMAC-KEY specifies your HMAC key.
  • --server https://acme.ssl.com/sslcom-dv-ecc specifies SSL.com’s ACME server.
  • -d DOMAIN.NAME specifies the domain name that the certificate will cover.
Note: Certbot 2.0.0 or newer defaults to generating ECDSA for new certificates. The above command is for an ECDSA keypair and certificate. To use RSA keys instead:

  • Change the --server value in the command to https://acme.ssl.com/sslcom-dv-rsa
Note: You can use the -d DOMAIN.NAME option multiple times in your command to add domain names to your certificate. Please see our information on certificate types and billing to see how different combinations of domain names map to SSL.com certificate types and their corresponding pricing.
When you first run the above certbot command, ACME account info will be stored on your computer in the configuration directory (/etc/ssl-com in the command shown above. On future runs of certbot, you can omit the --eab-hmac-key and --eab-kid options because certbot will ignore them in favor of the locally stored account info.

If you need to associate your ACME certificate orders for the computer with a different SSL.com account, you should remove this account information from your computer with the command sudo rm -r /etc/ssl-com/accounts/acme.ssl.com (or, if you omitted the optional --config-dir option, sudo rm -r /etc/letsencrypt/accounts/acme.ssl.com).

You should see output like this after you run the command:

Saving debug log to /var/log/ssl-com/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for DOMAIN.NAME
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/DOMAIN-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/DOMAIN-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/DOMAIN-le-ssl.conf
Redirecting vhost in /etc/apache2/sites-enabled/DOMAIN.NAME.conf to ssl vhost in /etc/apache2/sites-available/DOMAIN-le-ssl.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://DOMAIN.NAME
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Certbot will also create a crontab file like this for automated non-interactive renewal of any certbot-installed certificate expiring within 30 days:

$ cat /etc/cron.d/certbot
# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc.  Renewal will only occur if expiration
# is within 30 days.
#
# Important Note!  This cronjob will NOT be executed if you are
# running systemd as your init system.  If you are running systemd,
# the cronjob.timer function takes precedence over this cronjob.  For
# more details, see the systemd.timer manpage, or use systemctl show
# certbot.timer.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew
Note: All SSL/TLS certificates issued via ACME by SSL.com have a one-year lifetime.
Go to top

Nginx Installation and Automation

For Nginx, simply substitute --nginx for --apache in the command shown above:

sudo certbot --nginx --email EMAIL-ADDRESS --agree-tos --no-eff-email --config-dir /etc/ssl-com --logs-dir /var/log/ssl-com --eab-kid ACCOUNT-KEY --eab-hmac-key HMAC-KEY --server https://acme.ssl.com/sslcom-dv-ecc -d DOMAIN.NAME
Note: Certbot 2.0.0 or newer defaults to generating ECDSA for new certificates. The above command is for an ECDSA keypair and certificate. To use RSA keys instead:

  • Change the --server value in the command to https://acme.ssl.com/sslcom-dv-rsa
Go to top

Force Renewal Manually

If you wish to manually renew a certificate before expiry is imminent, use this command:

certbot renew --force-renewal --cert-name DOMAIN.NAME

SSL.com provides a wide variety of SSL/TLS server certificates for HTTPS websites.

COMPARE SSL/TLS CERTIFICATES

Stay Informed and Secure

SSL.com is a global leader in cybersecurity, PKI and digital certificates. Sign up to receive the latest industry news, tips, and product announcements from SSL.com.

We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.

Take Survey