Let's Encrypt is a non-profit certificate authority that provides free X.509 certificates for TLS encryption through an automated process designed to replace the current complex process of manually creating, verifying, signing, installing and updating certificates for secure websites. Let's Encrypt recently introduced a Wildcard certificate for your domain, now you can use ssl without wildcards for your domain and for multiple subdomains with just one SSL certificate.

This guide will work with Linux distributions such as CentOS, Ubuntu, Debian.
Installation is done using CentOS as an example, to install git on Ubuntu, Debian, you will need to use package managers apt-get, instead of yum.

After installation, a cron job will be created to automatically renew the certificate.  

* Submit a request for issuance:
bash acme.sh --issue -d mecmep.site -d *.mecmep.site --dns --force --yes-I-know-dns-manual-mode-enough-go-ahead-please  

You must specify your domain instead of mecmep.site.

  • The script will generate 2 TXT records to be added to DNS panel:
    [Mon Apr 13 14:06:52 MSK 2020] Domain: '_acme-challenge.mecmep.site'
    [Mon Apr 13 14:06:52 MSK 2020] TXT value: 'lGcZEqos8Ki_4Yl_MvTC8OF54Ixjkp_SHKLqZ7ba7G8'
    [Mon Apr 13 14:06:52 MSK 2020] Domain: '_acme-challenge.mecmep.site'
    [Mon Apr 13 14:06:52 MSK 2020] TXT value: 'GfIz0ovmKkHmHmwN1BV57Vc2IwZeBXPCY5s2M24VWQN3I'

When adding a record, you should add a period at the end of the record name. For example:  

TXT record _acme-challenge.mecmep.site.  
value : "lGcZEqos8Ki_4Yl_MvTC8OF54Ixjkp_SHKLqZ7ba7G8"  

TXT record _acme-challenge.mecmep.site.
value : "GfIz0ovmKkHmwN1BV57Vc2IwZeBXPCY5s2M24VWQN3I"


* Checking to see if the DNS records have been updated 
dig txt +short _acme-challenge.mecmep.site  
  • After updating the DNS, resume issuing the certificate:
    bash acme.sh --renew -d mecmep.site -d *.mecmep.site --dns --force --yes-I-know-dns-manual-mode-enough-go-ahead-please
[Mon Apr 13 14:16:47 MSK 2020] Renew: 'mecmep.site'
[Mon Apr 13 14:16:48 MSK 2020] Multi domain='DNS:mecmep.site,DNS:*.mecmep.site'
[Mon Apr 13 14:16:49 MSK 2020] Getting domain auth token for each domain
[Mon Apr 13 14:16:49 MSK 2020] Verifying: mecmep.site
[Mon Apr 13 14:16:53 MSK 2020] Success
[Mon Apr 13 14:16:53 MSK 2020] Verifying: *.mecmep.site
[Mon Apr 13 14:16:57 MSK 2020] Success
[Mon Apr 13 14:16:57 MSK 2020] Verify finished, start to sign.
[Mon Apr 13 14:16:57 MSK 2020] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/83278451/2986784558
[Mon Apr 13 14:16:58 MSK 2020] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/04445ffc3799e6e4ab158437a6730fb44031
[Mon Apr 13 14:16:59 MSK 2020] Cert success.
[Mon Apr 13 14:16:59 MSK 2020] Your cert is in /root/.acme.sh/mecmep.site/mecmep.site.cer 
[Mon Apr 13 14:16:59 MSK 2020] Your cert key is in /root/.acme.sh/mecmep.site/mecmep.site.key 
[Mon Apr 13 14:16:59 MSK 2020] The intermediate CA cert is in /root/.acme.sh/mecmep.site/ca.cer 
[Mon Apr 13 14:16:59 MSK 2020] And the full chain certs is there: /root/.acme.sh/mecmep.site/fullchain.cer 

This will give you the certificates, key and chain to add to the apache and nginx configuration files by removing the existing ones:

/home/admin/conf/web/mecmep.site.apache2.ssl.conf, where mecmep.site is the domain name

SSLCertificateFile /root/.acme.sh/mecmep.site/mecmep.site.cer
SSLCertificateKeyFile /root/.acme.sh/mecmep.site/mecmep.site.key
SSLCertificateChainFile /root/.acme.sh/mecmep.site/fullchain.cer


/home/admin/conf/web/mecmep.site.nginx.ssl.conf, where mecmep.site domain name

    ssl_certificate /root/.acme.sh/mecmep.site/fullchain.cer;
    ssl_certificate_key /root/.acme.sh/mecmep.site/mecmep.site.key;
  • Restart apache and nginx:

systemctl restart apache2

systemctl restart nginx

To update the certificates you need to run this command after 90 days, update the TXT dns record as below:  
acme.sh --issue -d mecmep.site -d *.mecmep.site --dns --force --yes-I-know-dns-manual-mode-enough-go-ahead-please  

Where mecmep.site is the name of your domain.


Automatically update let's encrypt certs with a Cron job, add this daily cron to check auto-update:
0 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

You can check if the certificate is installed correctly using this [service] (https://www.sslshopper.com/ssl-checker.html).


If you have any configuration difficulties or have additional questions, you can always contact our support team via ticket system.