BestHub
Sign in
Information Security 8 min read

Secure Your Site for Free: HTTPS with acme.sh and Let’s Encrypt

This guide explains why and how to upgrade an HTTP website to HTTPS using free Let’s Encrypt certificates and the acme.sh script, covering installation, certificate generation via HTTP or DNS validation, deployment to Apache/Nginx, and automated renewal.

21CTO
21CTO
21CTO
Secure Your Site for Free: HTTPS with acme.sh and Let’s Encrypt

Difference between HTTP and HTTPS

HTTPS adds SSL/TLS encryption to HTTP, using a CA certificate to verify the server’s identity and encrypt traffic. Upgrading from HTTP to HTTPS only requires installing a CA certificate.

There are two ways to obtain a CA certificate: purchase a commercial one or get a free one.

Let’s Encrypt is a free, automated, open certificate authority that issues certificates valid for three months and can be renewed automatically.

Install acme.sh

Installation is a single command: curl get.acme.sh | sh The script is installed in the user’s home directory ( ~/.acme.sh/) and creates a convenient alias acme.sh=~/.acme.sh/acme.sh. It also sets up a daily cron job to check and renew certificates.

Generate certificates

acme.sh supports both HTTP and DNS validation methods.

HTTP validation places a file in the web root to prove domain ownership:

acme.sh --issue -d mydomain.com -d www.mydomain.com --webroot /home/wwwroot/mydomain.com/

For Apache you can let acme.sh read the configuration automatically: acme.sh --issue -d mydomain.com --apache For Nginx: acme.sh --issue -d mydomain.com --nginx If no web server is running, acme.sh can act as a temporary server: acme.sh --issue -d mydomain.com --standalone DNS validation adds a TXT record to the domain: acme.sh --issue --dns -d mydomain.com After adding the TXT record, renew with: acme.sh --renew -d mydomain.com Note that DNS mode requires manual record updates unless an automatic DNS API is configured; acme.sh supports many providers such as Cloudflare, DNSPod, GoDaddy, etc.

Copy/Install certificate

Certificates are stored in ~/.acme.sh/. Use the --installcert command to copy them to the desired location and optionally reload the web server:

acme.sh --installcert -d <domain>.com --key-file /etc/nginx/ssl/<domain>.key --fullchain-file /etc/nginx/ssl/fullchain.cer --reloadcmd "service nginx force-reload"

Force‑reload is required because a normal reload may not reload the new certificate.

Update certificate

Certificates are automatically renewed after 60 days without user intervention.

Update acme.sh

Keep acme.sh up to date with: acme.sh --upgrade Enable automatic upgrades: acme.sh --upgrade --auto-upgrade Disable automatic upgrades: acme.sh --upgrade --auto-upgrade 0 If an error occurs, add the debug flag:

acme.sh --issue ... --debug
Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

Web SecurityHTTPSSSLacme.shLet’s Encryptcertificate automation
21CTO
Written by

21CTO

21CTO (21CTO.com) offers developers community, training, and services, making it your go‑to learning and service platform.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment