ACME

An ACME protocol client written purely in Shell (Unix shell) language

Installation

curl https://get.acme.sh | sh -s email=my@example.com

DNS challenge

# generate challenge (.key, .cer, etc)
.acme.sh/acme.sh --issue --dns -d sub.domain.tld --keylength 4096 --yes-I-know-dns-manual-mode-enough-go-ahead-please
# return a DNS TXT record like: 
# Domain: '_acme-challenge.sub.domain.tld'
# TXT value: 'xxx'
# Once added on the DNS, you can run `--renew`

# generate (.key, .cer, etc)
.acme.sh/acme.sh --renew --dns -d sub.domain.tld --keylength 4096 --yes-I-know-dns-manual-mode-enough-go-ahead-please

Notes:

• certificate is valid 90 days, no more
• to correctly renew certificate with no too much dependency on DNS record node, its better to:
  1. run acme --issue on responsible node (i.e. the one asking a certificate renew)
  2. the responsible node update DNS record through a client DynamicDNS by adding the TXT record
  3. the responsible node can the generate himself the new certificate(s)
• if you want to choose another CA, such as letsencrypt you can do --server letsencrypt, however the default one, ZeroSSL seems better, see comparison