How to Upgrade Your Site from HTTP to HTTPS with Free acme.sh Certificates
This guide explains why you should switch from HTTP to HTTPS, compares the two protocols, shows how to obtain free or paid SSL certificates, and provides step‑by‑step instructions for installing and automating certificate issuance using the acme.sh script on Apache, Nginx or standalone servers.
Many site owners now upgrade their sites from HTTP to HTTPS for security and to meet third‑party platform requirements such as Chrome’s “Not Secure” warning and WeChat Mini‑Program mandates.
http vs https
HTTPS adds the SSL/TLS protocol on top of HTTP, using a CA certificate to verify the server’s identity and encrypt traffic. Converting a site to HTTPS only requires adding a CA certificate.
Certificates can be obtained in two ways:
Purchase a commercial CA certificate from providers like Alibaba Cloud or Tencent Cloud.
Use a free certificate, e.g., from Let’s Encrypt.
Let’s Encrypt issues three‑month certificates that can be renewed automatically. The acme.sh script implements the ACME protocol and can continuously fetch and renew Let’s Encrypt certificates.
Install acme.sh
Installation is a single command: curl https://get.acme.sh | sh The script is installed to ~/.acme.sh/ and creates a convenient alias acme.sh=~/.acme.sh/acme.sh. It also sets up a daily cron job that checks for expiring certificates and renews them automatically, keeping all changes confined to the installation directory.
Generate Certificate
acme.shsupports all ACME validation methods, typically HTTP‑01 or DNS‑01.
HTTP‑01 validation (place a file in the web root):
acme.sh --issue -d mydomain.com -d www.mydomain.com --webroot /home/wwwroot/mydomain.com/For Apache, the script can read the configuration automatically: acme.sh --issue -d mydomain.com --apache For Nginx or reverse‑proxy setups: acme.sh --issue -d mydomain.com --nginx Standalone mode (no web server needed, listens on port 80): acme.sh --issue -d mydomain.com --standalone DNS‑01 validation (add a TXT record): acme.sh --issue --dns -d mydomain.com After the TXT record appears, add it via your DNS provider’s console, then run:
acme.sh --renew -d mydomain.comacme.shintegrates with many DNS providers (Cloudflare, DNSPod, GoDaddy, OVH, etc.) for automatic TXT record creation.
Install Certificate
Copy the generated certificate to the location required by your server using --installcert:
acme.sh --installcert -d <domain>.com \
--key-file /etc/nginx/ssl/<domain>.key \
--fullchain-file /etc/nginx/ssl/fullchain.cer \
--reloadcmd "service nginx force-reload"Note: Use /etc/nginx/ssl/fullchain.cer for ssl_certificate, not the domain‑specific .cer, to avoid chain‑incomplete errors in SSL Labs tests.
Update Certificate
Certificates are automatically renewed 60 days after issuance; no manual action is required.
Update acme.sh
Because the ACME protocol and Let’s Encrypt CA evolve frequently, keep acme.sh up to date: acme.sh --upgrade Enable automatic upgrades: acme.sh --upgrade --auto-upgrade Disable automatic upgrades:
acme.sh --upgrade --auto-upgrade 0Troubleshooting
If errors occur, add the debug flag:
acme.sh --issue ... --debugacme.sh --issue ... --debug 2For more advanced usage, refer to the official wiki.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Programmer DD
A tinkering programmer and author of "Spring Cloud Microservices in Action"
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.