acme.sh — Pure Shell ACME Client for Free SSL Certificates

Introduction

acme.sh is a pure Unix shell ACME protocol client with zero dependencies beyond bash or sh. It automates free TLS certificate issuance and renewal from Let's Encrypt, ZeroSSL, Buypass, and other ACME-compatible certificate authorities.

What acme.sh Does

• Issues and renews TLS certificates via the ACME protocol automatically
• Supports DNS-based validation with 150+ DNS provider APIs built in
• Handles wildcard certificates through DNS-01 challenge
• Installs certificates to web servers and reloads services on renewal
• Runs as a cron job for fully unattended certificate lifecycle management

Architecture Overview

acme.sh is a single shell script with no compiled dependencies. It communicates with ACME servers over HTTPS using curl or wget, handles challenge-response validation (HTTP-01, DNS-01, TLS-ALPN-01), and stores account keys and certificates in ~/.acme.sh. A cron entry checks for renewals daily.

Self-Hosting & Configuration

• Install via curl pipe or git clone to any POSIX system
• Set --server to choose CA (letsencrypt, zerossl, buypass, or custom)
• Configure DNS API credentials in environment variables for wildcard certs
• Certificates default to ~/.acme.sh/domain/ with configurable install paths
• Use --deploy hooks for automated deployment to services like Nginx, Apache, or cloud CDNs

Key Features

• Zero external dependencies — runs on pure sh/bash
• Over 150 DNS provider integrations for automated DNS-01 challenges
• Supports ECC (ECDSA) and RSA certificates in any key length
• Built-in deploy hooks for Nginx, Apache, HAProxy, and cloud services
• Automatic renewal via cron with configurable notification on failure

Comparison with Similar Tools

• Certbot — Python-based, official Let's Encrypt client; heavier runtime dependencies
• Caddy — web server with built-in ACME; tied to Caddy as the server
• Lego — Go binary ACME client; single binary but fewer DNS integrations
• cert-manager — Kubernetes-native certificate management; cluster-only scope

FAQ

Q: Does acme.sh require root privileges? A: No. It runs as any user. Root is only needed to install certificates to protected paths or reload system services.

Q: How many DNS providers are supported? A: Over 150 providers have native API integration, plus manual DNS mode for any provider.

Q: Can it issue wildcard certificates? A: Yes, using DNS-01 challenge validation with a supported DNS API.

Q: What happens if renewal fails? A: acme.sh retries on the next cron run and can send email or webhook notifications on persistent failure.

Sources

• https://github.com/acmesh-official/acme.sh
• https://acme.sh