Skip to content

a small tool to get and renew tls certs from let's encrypt

Notifications You must be signed in to change notification settings


Folders and files

Last commit message
Last commit date

Latest commit

56e0664 · Feb 7, 2020


25 Commits
Feb 7, 2020
Jan 30, 2020

Repository files navigation

acme-client (Deprecated)

a small PHP script to get and renew TLS certs from Let's Encrypt (Deprecated)

What you need to use this script to setup a https website

  • account private key
    • used to register and communicate with acme server
    • the script need the read access of the account key
  • domain private key
    • used as your website ssl private key
    • it must be different from your account private key for security
    • keep it in safe place, don't let the script read it
  • csr file (Certificate Signing Request)
    • used to request the cert from CA
    • can be generated from your domain private key
    • the script need the read access of the csr file
  • http challenge dir (which can be access by your domain)
    • used to prove the domain is in your control, acme server will access your domain like<challenge_file_name>
    • the script need the write access of the http challenge dir
    • the script will put the challenge file in this dir
  • a new user
    • used to run this script
    • for security, never run this script by root
    • the user can not login from ssh
      (set your /etc/passwd to disable login for the new user)
    • the user can not read the domain private key
    • the user can read the account private key, csr file only
    • the user can write to the http challenge dir
    • set the renew cert crontab task for this user
      (Let's Encrypt cert will exprired about 90 days)
  • custom dh paramters (optional)
    • fix the weak Diffie-Hellman and the logjam attack issue

Script Usage

usage: acme-client.php
    -a <account_key_file>
    -r <csr_file> 
    -d <domain_list(domain1;domain2...;domainN)>
    -c <http_challenge_dir>
    -o <output_cert_file>
    [-t <terms_of_service>]

if -t command line option is set and it does not equal to the latest tos url,
you will get a error like:

terms of service has changed: please modify your -t command option
new tos: <new_tos>

Detail Guide


# install php-cli first
sudo apt-get install php-cli php-curl

generate account private key

openssl genrsa -out account.key 4096

generate domain private key

openssl genrsa -out domain.key 2048

generate custom dh paramters

openssl dhparam -out dhparams.pem 2048

generate csr from domain private key

# single domain
openssl req -new -sha256 -key domain.key -out domain.csr -subj "/"

# multiple domain
cp /etc/ssl/openssl.cnf domain.conf
printf "[SAN]\," >> domain.conf
openssl req -new -sha256 -key domain.key -out domain.csr -subj "/" \
        -reqexts SAN -config domain.conf

add a sslcert user, put the key in place

useradd -M sslcert
mkdir /opt/sslcert
mkdir /opt/sslcert/bin
mkdir /opt/sslcert/keys
mkdir /opt/sslcert/certs
mkdir /opt/sslcert/acme-challenge

cp acme-client.php /opt/sslcert/bin
mv account.key /opt/sslcert/keys
mv domain.csr /opt/sslcert/keys
mv domain.key /etc/ssl/private
mv dhparams.pem /etc/ssl/private

chown -R sslcert:sslcert /opt/sslcert/keys
chown -R sslcert:sslcert /opt/sslcert/certs
chown -R sslcert:sslcert /opt/sslcert/acme-challenge
chmod 700 /opt/sslcert/keys
chmod 600 /opt/sslcert/keys/account.key
chmod 600 /opt/sslcert/keys/domain.csr
chmod 600 /etc/ssl/private/domain.key
chmod 600 /etc/ssl/private/dhparams.pem

change nginx config to add http challenge dir

server {
    listen 80 default_server;

    root /opt/www/html;
    index index.html;
    try_files $uri $uri/ =404;

    location /.well-known/acme-challenge/ {
        default_type text/plain;
        alias /opt/sslcert/acme-challenge/;

service nginx reload

create a wrap script

vi /opt/sslcert/bin/
chmod +x /opt/sslcert/bin/


php /opt/sslcert/bin/acme-client.php \
    -a /opt/sslcert/keys/account.key \
    -r /opt/sslcert/keys/domain.csr \
    -d ";" \
    -c /opt/sslcert/acme-challenge \
    -o /opt/sslcert/certs/
if [ $? -ne 0 ]
    exit 1

cp /opt/sslcert/certs/ \

rm -f -- /opt/sslcert/acme-challenge/*

get cert

su -s /bin/bash -c '/opt/sslcert/bin/' sslcert

final nginx ssl conf

server {
    listen 80 default_server;

    root /opt/www/html;
    index index.html;
    try_files $uri $uri/ =404;

    location /.well-known/acme-challenge/ {
        default_type text/plain;
        alias /opt/sslcert/acme-challenge/;

    location / {
        return 301 https://$host$request_uri;

server {
    listen 443 ssl;

    root /opt/www/html;
    index index.html;
    try_files $uri $uri/ =404;

    ssl on;
    ssl_certificate /opt/sslcert/certs/domain.crt;
    ssl_certificate_key /etc/ssl/private/domain.key;
    ssl_session_timeout 10m;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/ssl/private/dhparams.pem;

service nginx reload

set crontab task to renew cert (run every week)

crontab -u sslcert -e

0 0 * * 1 /bin/bash /opt/sslcert/bin/




a small tool to get and renew tls certs from let's encrypt







No releases published


No packages published
