# acme.sh — Pure Shell ACME Client for Free SSL Certificates > A zero-dependency shell script that automates certificate issuance and renewal from any ACME-compatible CA including Let's Encrypt and ZeroSSL. ## Install Save in your project root: # acme.sh — Pure Shell ACME Client for Free SSL Certificates ## Quick Use ```bash curl https://get.acme.sh | sh -s email=you@example.com acme.sh --issue -d example.com --webroot /var/www/html acme.sh --install-cert -d example.com --key-file /etc/ssl/key.pem --fullchain-file /etc/ssl/cert.pem --reloadcmd "systemctl reload nginx" ``` ## Introduction acme.sh is a pure Unix shell ACME protocol client with zero dependencies beyond bash or sh. It automates free TLS certificate issuance and renewal from Let's Encrypt, ZeroSSL, Buypass, and other ACME-compatible certificate authorities. ## What acme.sh Does - Issues and renews TLS certificates via the ACME protocol automatically - Supports DNS-based validation with 150+ DNS provider APIs built in - Handles wildcard certificates through DNS-01 challenge - Installs certificates to web servers and reloads services on renewal - Runs as a cron job for fully unattended certificate lifecycle management ## Architecture Overview acme.sh is a single shell script with no compiled dependencies. It communicates with ACME servers over HTTPS using curl or wget, handles challenge-response validation (HTTP-01, DNS-01, TLS-ALPN-01), and stores account keys and certificates in ~/.acme.sh. A cron entry checks for renewals daily. ## Self-Hosting & Configuration - Install via curl pipe or git clone to any POSIX system - Set `--server` to choose CA (letsencrypt, zerossl, buypass, or custom) - Configure DNS API credentials in environment variables for wildcard certs - Certificates default to ~/.acme.sh/domain/ with configurable install paths - Use `--deploy` hooks for automated deployment to services like Nginx, Apache, or cloud CDNs ## Key Features - Zero external dependencies — runs on pure sh/bash - Over 150 DNS provider integrations for automated DNS-01 challenges - Supports ECC (ECDSA) and RSA certificates in any key length - Built-in deploy hooks for Nginx, Apache, HAProxy, and cloud services - Automatic renewal via cron with configurable notification on failure ## Comparison with Similar Tools - **Certbot** — Python-based, official Let's Encrypt client; heavier runtime dependencies - **Caddy** — web server with built-in ACME; tied to Caddy as the server - **Lego** — Go binary ACME client; single binary but fewer DNS integrations - **cert-manager** — Kubernetes-native certificate management; cluster-only scope ## FAQ **Q: Does acme.sh require root privileges?** A: No. It runs as any user. Root is only needed to install certificates to protected paths or reload system services. **Q: How many DNS providers are supported?** A: Over 150 providers have native API integration, plus manual DNS mode for any provider. **Q: Can it issue wildcard certificates?** A: Yes, using DNS-01 challenge validation with a supported DNS API. **Q: What happens if renewal fails?** A: acme.sh retries on the next cron run and can send email or webhook notifications on persistent failure. ## Sources - https://github.com/acmesh-official/acme.sh - https://acme.sh --- Source: https://tokrepo.com/en/workflows/asset-dc1ca8c5 Author: AI Open Source