BestHub
Sign in
Information Security 9 min read

Upgrading a Website from HTTP to HTTPS with acme.sh – Free Automated SSL Certificates

This guide explains why and how to migrate an HTTP site to HTTPS by obtaining free Let’s Encrypt certificates using the acme.sh script, covering installation, HTTP/DNS/standalone validation methods, certificate installation, automatic renewal, and troubleshooting steps.

Top Architect
Top Architect
Top Architect
Upgrading a Website from HTTP to HTTPS with acme.sh – Free Automated SSL Certificates

HTTP vs HTTPS Differences

HTTPS adds SSL/TLS encryption on top of HTTP, using a CA certificate to authenticate the server and encrypt traffic. Upgrading from HTTP to HTTPS only requires adding a suitable certificate to the site.

Obtaining a CA Certificate

There are two ways to get a certificate: purchase a commercial CA (e.g., Alibaba Cloud, Tencent Cloud) or use a free certificate from Let’s Encrypt, which issues three‑month certificates that can be renewed automatically.

The free acme.sh script implements the ACME protocol and can automatically obtain and renew Let’s Encrypt certificates.

Installing acme.sh

Installation is a single command:

curl https://get.acme.sh | sh

The script is installed into the user's home directory ( ~/.acme.sh/ ) and creates a convenient alias.

Generating Certificates

HTTP validation places a challenge file in the web root:

acme.sh --issue -d mydomain.com -d www.mydomain.com --webroot /home/wwwroot/mydomain.com/

For Apache or Nginx, the script can automatically detect the configuration and perform validation without specifying the web root:

acme.sh --issue -d mydomain.com --apache
acme.sh --issue -d mydomain.com --nginx

Standalone mode runs a temporary web server on port 80 when no service is listening:

acme.sh --issue -d mydomain.com --standalone

DNS validation creates a TXT record to prove domain ownership:

acme.sh --issue --dns -d mydomain.com

After adding the TXT record in the DNS console, renew with:

acme.sh --renew -d mydomain.com

Installing the Certificate

Generated files reside in ~/.acme.sh/ . Use the --installcert command to copy them to the desired location and reload the web server:

acme.sh --installcert -d
.com \
    --key-file /etc/nginx/ssl/
.key \
    --fullchain-file /etc/nginx/ssl/fullchain.cer \
    --reloadcmd "service nginx force-reload"

Note that service nginx force-reload is required to make the new certificate take effect.

Certificate Renewal

Certificates are automatically renewed about 60 days after issuance; the script handles renewal without user intervention.

Updating acme.sh

Keep the script up‑to‑date with:

acme.sh --upgrade

Enable automatic upgrades:

acme.sh --upgrade --auto-upgrade

Disable automatic upgrades:

acme.sh --upgrade --auto-upgrade 0

Troubleshooting

If errors occur, add the debug flag to the command:

acme.sh --issue ... --debug

Or increase verbosity with --debug 2 . For more advanced usage, refer to the official wiki.

Web SecuritycertificateHTTPSsslacme.shLet’s Encrypt
Top Architect
Written by

Top Architect

Top Architect focuses on sharing practical architecture knowledge, covering enterprise, system, website, large‑scale distributed, and high‑availability architectures, plus architecture adjustments using internet technologies. We welcome idea‑driven, sharing‑oriented architects to exchange and learn together.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment