SSL.com

ACME SSL/TLS Automation with Apache and Nginx

This how-to will walk you through setting up automated certificate installation and renewal with SSL.com for Apache and Nginx with the ACME protocol and Certbot client.

Note: You will need SSH access and sudo privileges on your web server to follow these instructions.
Note:
You can use many other ACME clients, including Kubernetes cert-manager, with SSL.com’s ACME service.
acme4j  client can now use SSL.com ACME services on this repository: https://github.com/SSLcom/acme4j
Please refer to your software provider’s documentation for instructions for other non-Certbot ACME clients.

Install Certbot and Retrieve ACME Credentials

  1. SSH into your web server.
  2. Make sure that a current version of Certbot, along with the Apache and Nginx plugins, are installed on your web server:
    • If you have snapd installed, you can use this command for installation:
      sudo snap install --classic certbot
    • If /snap/bin/ is not in your PATH, you will also need add it or run a command like this:
      sudo ln -s /snap/bin/certbot /usr/bin/certbot
  3. Retrieve your ACME credentials from your SSL.com account:
    1. Log into your SSL.com account. If you are already logged in, go to the Dashboard tab.
      Dashboard
    2. Click api credentials, located under developers and integration.
    3. You will need your Account/ACME Key and HMAC Key to request certificates. Click the clipboard icon () next to each key to copy the value to the clipboard.

Apache Installation and Automation

Use a command like this to install on Apache. Replace values in ALL CAPS with your actual values:

sudo certbot --apache --email EMAIL-ADDRESS --agree-tos --no-eff-email --config-dir /etc/ssl-com --logs-dir /var/log/ssl-com --eab-kid ACCOUNT-KEY --eab-hmac-key HMAC-KEY --server https://acme.ssl.com/sslcom-dv-ecc -d DOMAIN.NAME

Breaking the command down:

Note: Certbot 2.0.0 or newer defaults to generating ECDSA for new certificates. The above command is for an ECDSA keypair and certificate. To use RSA keys instead:
  • Change the --server value in the command to https://acme.ssl.com/sslcom-dv-rsa
Note: You can use the -d DOMAIN.NAME option multiple times in your command to add domain names to your certificate. Please see our information on certificate types and billing to see how different combinations of domain names map to SSL.com certificate types and their corresponding pricing.
When you first run the above certbot command, ACME account info will be stored on your computer in the configuration directory (/etc/ssl-com in the command shown above. On future runs of certbot, you can omit the --eab-hmac-key and --eab-kid options because certbot will ignore them in favor of the locally stored account info.

If you need to associate your ACME certificate orders for the computer with a different SSL.com account, you should remove this account information from your computer with the command sudo rm -r /etc/ssl-com/accounts/acme.ssl.com (or, if you omitted the optional --config-dir option, sudo rm -r /etc/letsencrypt/accounts/acme.ssl.com).

You should see output like this after you run the command:

Saving debug log to /var/log/ssl-com/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for DOMAIN.NAME
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/DOMAIN-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/DOMAIN-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/DOMAIN-le-ssl.conf
Redirecting vhost in /etc/apache2/sites-enabled/DOMAIN.NAME.conf to ssl vhost in /etc/apache2/sites-available/DOMAIN-le-ssl.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://DOMAIN.NAME
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Certbot will also create a crontab file like this for automated non-interactive renewal of any certbot-installed certificate expiring within 30 days:

$ cat /etc/cron.d/certbot
# /etc/cron.d/certbot: crontab entries for the certbot package
#
# Upstream recommends attempting renewal twice a day
#
# Eventually, this will be an opportunity to validate certificates
# haven't been revoked, etc.  Renewal will only occur if expiration
# is within 30 days.
#
# Important Note!  This cronjob will NOT be executed if you are
# running systemd as your init system.  If you are running systemd,
# the cronjob.timer function takes precedence over this cronjob.  For
# more details, see the systemd.timer manpage, or use systemctl show
# certbot.timer.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew
Note: All SSL/TLS certificates issued via ACME by SSL.com have a one-year lifetime.

Nginx Installation and Automation

For Nginx, simply substitute --nginx for --apache in the command shown above:

sudo certbot --nginx --email EMAIL-ADDRESS --agree-tos --no-eff-email --config-dir /etc/ssl-com --logs-dir /var/log/ssl-com --eab-kid ACCOUNT-KEY --eab-hmac-key HMAC-KEY --server https://acme.ssl.com/sslcom-dv-ecc -d DOMAIN.NAME
Note: Certbot 2.0.0 or newer defaults to generating ECDSA for new certificates. The above command is for an ECDSA keypair and certificate. To use RSA keys instead:
  • Change the --server value in the command to https://acme.ssl.com/sslcom-dv-rsa

Force Renewal Manually

If you wish to manually renew a certificate before expiry is imminent, use this command:

certbot renew --force-renewal --cert-name DOMAIN.NAME

SSL.com provides a wide variety of SSL/TLS server certificates for HTTPS websites.

COMPARE SSL/TLS CERTIFICATES

Exit mobile version