BestHub
Sign in
Information Security 8 min read

Upgrading an HTTP Site to HTTPS with acme.sh and Let’s Encrypt

This guide explains why and how to migrate an HTTP website to HTTPS by adding an SSL/TLS certificate, covering the differences between HTTP and HTTPS, options for obtaining free or paid CA certificates, installing the acme.sh script, generating and installing certificates, and handling updates and troubleshooting.

Architecture Digest
Architecture Digest
Architecture Digest
Upgrading an HTTP Site to HTTPS with acme.sh and Let’s Encrypt

Many site owners need to upgrade their sites from HTTP to HTTPS for security and compliance reasons, such as browser warnings and platform requirements.

HTTPS adds SSL/TLS on top of HTTP, using a CA certificate to authenticate the server and encrypt traffic. Obtaining a certificate can be done by purchasing one from providers like Alibaba Cloud or Tencent Cloud, or by using a free certificate from Let’s Encrypt.

Let’s Encrypt issues three‑month certificates that can be automatically renewed. The acme.sh script implements the ACME protocol and automates certificate issuance and renewal.

Installing acme.sh

Installation is a single command:

curl https://get.acme.sh | sh

The script is installed into ~/.acme.sh/ and creates a convenient alias.

It also sets up a daily cron job that checks for expiring certificates and renews them automatically.

Generating a Certificate

acme.sh supports both HTTP‑01 and DNS‑01 validation.

HTTP validation places a file in the web root:

acme.sh --issue -d mydomain.com -d www.mydomain.com --webroot /home/wwwroot/mydomain.com/

For Apache or Nginx you can let the script read the server configuration directly:

acme.sh --issue -d mydomain.com --apache
acme.sh --issue -d mydomain.com --nginx

Standalone mode can be used when no web server is running:

acme.sh --issue -d mydomain.com --standalone

DNS validation adds a TXT record to prove domain ownership:

acme.sh --issue --dns -d mydomain.com

After the TXT record is added, renew the certificate with:

acme.sh --renew -d mydomain.com

Installing the Certificate

Certificates are stored in ~/.acme.sh/ . Use the --installcert command to copy them to the desired location and reload the web server:

acme.sh --installcert -d
.com \
  --key-file /etc/nginx/ssl/
.key \
  --fullchain-file /etc/nginx/ssl/fullchain.cer \
  --reloadcmd "service nginx force-reload"

Configure Nginx with ssl_certificate /etc/nginx/ssl/fullchain.cer; to avoid chain‑issues.

Updating Certificates and acme.sh

Certificates automatically renew after 60 days. Keep acme.sh up‑to‑date with:

acme.sh --upgrade

Enable automatic upgrades:

acme.sh --upgrade --auto-upgrade

Disable automatic upgrades with:

acme.sh --upgrade --auto-upgrade 0

Troubleshooting

If errors occur, add the debug flag:

acme.sh --issue ... --debug

or increase debug level:

acme.sh --issue ... --debug 2

For more advanced usage, refer to the official wiki.

Web SecurityHTTPSsslacme.shLet’s Encryptcertificate automation
Architecture Digest
Written by

Architecture Digest

Focusing on Java backend development, covering application architecture from top-tier internet companies (high availability, high performance, high stability), big data, machine learning, Java architecture, and other popular fields.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment