1. Home
2. Help
3. Other articles and tutorials
4. How to obtain TLS certificate using ACME protocol on Linux

How to obtain TLS certificate using ACME protocol on Linux

Following tutorial explains automatical acquisition and following deployment on your Linux server using Certbot, automated tool for administration and removal of certificates. These instructions describe Apache server in particular, however Certbot is available for nginx, Haproxy and Plesk servers as well. It is distributed under open software license, therefore it is available for free.

Preparation for Obtaining a Certificate

Using ACME is very simple, but it requires a bit of preparation. Before you start using it, please read the following paragraphs.

Obtaining Access for Authentication

DigiCert's ACME implementation uses authentication via external account binding (EAB), which means you will receive your own access credentials from DigiCert. You can easily obtain these ACME credentials in your SSLmarket customer account.

The ACME credentials consist of a Key Identifier (Key ID) and an HMAC key, which is your secret for authenticating against the existing account. You will need this information and the URL of the ACME endpoint for the ACME client (Certbot).

Summary of Certificate Validation

All certificates issued by DigiCert are validated. Some are minimally validated (DV certificates), while others require organization validation (OV and EV). ACME is no exception, and uses this validation, too.

• Domain-validated DV certificates are obtained immediately; you simply need to create ACME credentials for a DV product and use them. DCV validation is performed via the HTTP-01 method, and the certificate will be issued right away.
• OV and EV certificates require a verified organization and validation of the domain used, which is associated with the organization. If the validation is not completed, the ACME request cannot be completed either.
• Domains can be automatically validated using HTTP-01, or they can be pre-validated using DNS or email (in which case, please contact us). DCV is carried out exactly as you are accustomed to.
• The organization must be verified before applying for a certificate; otherwise, the request will wait for completion of the verification (which will end in a timeout). We recommend waiting for your organization to be verified by DigiCert after enabling the ACME account and consulting the status with SSLmarket support.

For OV and EV, you can start using ACME as soon as the organization is verified (domain and company validations are valid for 13 months).

Certbot

Certbot is the most popular ACME client, supporting major Linux web servers.

Preparing Certbot on the Server

The Certbot package is commonly installed in Linux distributions, but you should remove this default package. To use DigiCert's EAB ACME, it is necessary to use the package from Snap; other variants may not be functional. Install it like this:

Certbot supports a wide range of web servers. You specify the type you are using with a parameter, such as --apache or --nginx. If you need something else, I recommend its comprehensive documentation, which will guide you on the specific procedure for your web server.

Obtaining and Installing a Certificate

You can find many examples online or in Certbot documentation on how to use Certbot and obtain a certificate. However, since DigiCert's ACME operates in the aforementioned EAB mode, the command needs to be supplemented with the ACME URL and your two ACME credentials that you obtained in your administration. Otherwise, it won't work.

In the terminal, request a certificate using the command below:
sudo certbot --apache --register-unsafely-without-email --server URL --eab-kid xxxxxx --eab-hmac-key yyyyyy -d www.yourdomainname.com

Command Legend:

• Certbot – runs the Certbot program.
• --apache – selects the Apache Certbot plugin to use, which installs the certificate for you. If you are using a different web server, use a different parameter (e.g., --nginx).
• --register-unsafely-without-email – skips email registration for notifications, which is unnecessary.
• --server – specifies which ACME server should fulfill your request; that is, https://acme.digicert.com/v2/acme/directory.
• - d – The full domain name for which you want to issue a certificate. You can use multiple domain names in the -d parameter (SAN) if the certificate supports it. These will, of course, be charged unless they are free aliases (www). If you do not fill out this option, Certbot will request confirmation of which domains you want to include in the request based on the configured vhosts on the server.

After entering the command, you will be offered the option to enable forced redirection to HTTPS on the given domain: Output
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):


Select your choice and press the ENTER key. Your chosen configuration will be set and loaded upon restarting the web server. You will then receive a final message informing you that the process was successful and where your certificates are stored.

Certbot also installs the necessary intermediate certificate. To verify the correctness of the installation, use our online tool for certificate installation check.

ACME.sh

You can also easily use DigiCert’s ACME with the ACME.sh tool. Unlike Certbot, it is "lighter" and doesn't require as many dependencies to be installed on the server.

Create a separate system user under which it will "run": useradd -r -s /bin/bash -m -d /home/acmeuser acmeuser mkdir -p /home/acmeuser/.acme.sh chown -R acmeuser:acmeuser /home/acmeuser/.acme.sh echo 'acmeuser ALL=(ALL) NOPASSWD: /usr/sbin/service nginx reload' | sudo tee /etc/sudoers.d/acmeuser

then log in as that user: sudo su - acmeuser

Installation of acme.sh

Now, install the ACME client with the package downloaded from the web. wget https://get.acme.sh -O acme.sh
sh acme.sh The installation will perform:

• Installation of the script itself
• Setting up a cron job (can be checked under the acmeuser with the command crontab -e)

Next, register the certificate authority: acme.sh --register-account --server https://one.digicert.com/mpki/api/v1/acme/v2/directory --eab-kid xxxxxx --eab-hmac-key yyyyyy

Before actually requesting the issuance of a certificate, it is necessary to check (and set if needed) that the acmeuser has access to the target directory where certificates for nginx, apache, and other services are located. On the server, I had the folder accessible only to the root user; I resolved this by creating a new group called ssladmins and adding the root and acmeuser to it.

There could also be another solution: using visudo to grant the acmeuser permission to copy files to the specified directories without a password.

Requesting Certificate Issuance

acme.sh --issue --server https://one.digicert.com/mpki/api/v1/acme/v2/directory -d dev.inmail.cz --days 365 -w /www/sites/inmail/dev/current/web/ --key-file /etc/nginx/ssl/dev.inmail.cz.key --fullchain-file /etc/nginx/ssl/dev.inmail.cz.cer --force --log --reloadcmd "sudo systemctl reload nginx" List of issued and installed certificates: acme.sh --list