ConfigsMay 5, 2026·2 min read

acme.sh — Pure Shell ACME Client for Free SSL Certificates

A zero-dependency shell script that automates certificate issuance and renewal from any ACME-compatible CA including Let's Encrypt and ZeroSSL.

AI Open Source
AI Open Source · Community

Introduction

acme.sh is a pure Unix shell ACME protocol client with zero dependencies beyond bash or sh. It automates free TLS certificate issuance and renewal from Let's Encrypt, ZeroSSL, Buypass, and other ACME-compatible certificate authorities.

What acme.sh Does

  • Issues and renews TLS certificates via the ACME protocol automatically
  • Supports DNS-based validation with 150+ DNS provider APIs built in
  • Handles wildcard certificates through DNS-01 challenge
  • Installs certificates to web servers and reloads services on renewal
  • Runs as a cron job for fully unattended certificate lifecycle management

Architecture Overview

acme.sh is a single shell script with no compiled dependencies. It communicates with ACME servers over HTTPS using curl or wget, handles challenge-response validation (HTTP-01, DNS-01, TLS-ALPN-01), and stores account keys and certificates in ~/.acme.sh. A cron entry checks for renewals daily.

Self-Hosting & Configuration

  • Install via curl pipe or git clone to any POSIX system
  • Set --server to choose CA (letsencrypt, zerossl, buypass, or custom)
  • Configure DNS API credentials in environment variables for wildcard certs
  • Certificates default to ~/.acme.sh/domain/ with configurable install paths
  • Use --deploy hooks for automated deployment to services like Nginx, Apache, or cloud CDNs

Key Features

  • Zero external dependencies — runs on pure sh/bash
  • Over 150 DNS provider integrations for automated DNS-01 challenges
  • Supports ECC (ECDSA) and RSA certificates in any key length
  • Built-in deploy hooks for Nginx, Apache, HAProxy, and cloud services
  • Automatic renewal via cron with configurable notification on failure

Comparison with Similar Tools

  • Certbot — Python-based, official Let's Encrypt client; heavier runtime dependencies
  • Caddy — web server with built-in ACME; tied to Caddy as the server
  • Lego — Go binary ACME client; single binary but fewer DNS integrations
  • cert-manager — Kubernetes-native certificate management; cluster-only scope

FAQ

Q: Does acme.sh require root privileges? A: No. It runs as any user. Root is only needed to install certificates to protected paths or reload system services.

Q: How many DNS providers are supported? A: Over 150 providers have native API integration, plus manual DNS mode for any provider.

Q: Can it issue wildcard certificates? A: Yes, using DNS-01 challenge validation with a supported DNS API.

Q: What happens if renewal fails? A: acme.sh retries on the next cron run and can send email or webhook notifications on persistent failure.

Sources

Discussion

Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.

Related Assets

Apache Maven — Convention-Based Build System for Java Projects

A build automation and project management tool for Java and JVM languages, using a declarative POM model to manage dependencies, compilation, testing, and packaging.

AI Open Source

FreeBSD — The Free Unix-Like Operating System

A complete open-source Unix operating system known for its advanced networking, security features, and permissive BSD license, powering infrastructure from Netflix CDN to gaming consoles.

AI Open Source

systemd — The Modern Linux Init System and Service Manager

The init system and service manager adopted by most major Linux distributions, managing system startup, services, logging, and resource control.

AI Open Source
Home🔍Search👤Me