Generate Let's Encrypt SSL Certificate without Webserver

Generate Let's Encrypt SSL Certificate without Webserver

We will use acme.sh with Cloudflare DNS API to generate a wildcard SSL Certificate from Let’s Encrypt for our domain. We also will use Cloud Shell free Linux shell virtual machine instance provided by Google Cloud.

Note: Make sure that you have already added your domain to Cloudflare.

  1. Log in to Google Cloud Console and activate Cloud Shell

  2. Install acme.sh

Terminal window
1
curl https://get.acme.sh | sh -s email=myemail@example.com
  1. Setup Cloudflare global API key, but first you need to log in to your Cloudflare account to get your API key.
Terminal window
1
export CF_Key="sdfsdfsdfljlbjkljlkjsdfoiwje"
2
export CF_Email="myemail@example.com"

If you want to use another DNS API, you can check for the details in acme.sh documentation

  1. Issue a wildcard SSL certificate using Let’s Encrypt provider
Terminal window
1
acme.sh --issue -d '*.example.com' --dns dns_cf --server letsencrypt
  1. The example output for generating a wildcard SSL certificate
Terminal window
1
aziz@cloudshell:~ (my-project-id-xxx)$ acme.sh --issue -d '*.blogdoang.com' --dns dns_cf --server letsencrypt
2
[Fri 19 Aug 2022 02:45:15 AM UTC] Using CA: https://acme-v02.api.letsencrypt.org/directory
3
[Fri 19 Aug 2022 02:45:15 AM UTC] Single domain='*.blogdoang.com'
4
[Fri 19 Aug 2022 02:45:15 AM UTC] Getting domain auth token for each domain
5
[Fri 19 Aug 2022 02:45:18 AM UTC] Getting webroot for domain='*.blogdoang.com'
6
[Fri 19 Aug 2022 02:45:18 AM UTC] Adding txt value: xxxxxxxxxxxxxxxxxxxxxxxxxx for domain: _acme-challenge.blogdoang.com
7
[Fri 19 Aug 2022 02:45:22 AM UTC] Adding record
8
[Fri 19 Aug 2022 02:45:23 AM UTC] Added, OK
9
[Fri 19 Aug 2022 02:45:23 AM UTC] The txt record is added: Success.
10
[Fri 19 Aug 2022 02:45:23 AM UTC] Let's check each DNS record now. Sleep 20 seconds first.
11
[Fri 19 Aug 2022 02:45:44 AM UTC] You can use '--dnssleep' to disable public dns checks.
12
[Fri 19 Aug 2022 02:45:44 AM UTC] See: https://github.com/acmesh-official/acme.sh/wiki/dnscheck
13
[Fri 19 Aug 2022 02:45:44 AM UTC] Checking blogdoang.com for _acme-challenge.blogdoang.com
14
[Fri 19 Aug 2022 02:45:44 AM UTC] Domain blogdoang.com '_acme-challenge.blogdoang.com' success.
15
[Fri 19 Aug 2022 02:45:44 AM UTC] All success, let's return
16
[Fri 19 Aug 2022 02:45:44 AM UTC] Verifying: *.blogdoang.com
17
[Fri 19 Aug 2022 02:45:45 AM UTC] Pending, The CA is processing your order, please just wait. (1/30)
18
[Fri 19 Aug 2022 02:45:49 AM UTC] Success
19
[Fri 19 Aug 2022 02:45:49 AM UTC] Removing DNS records.
20
[Fri 19 Aug 2022 02:45:49 AM UTC] Removing txt: xxxxxxxxxxxxxxxxxxxxxxxxxx for domain: _acme-challenge.blogdoang.com
21
[Fri 19 Aug 2022 02:45:53 AM UTC] Removed: Success
22
[Fri 19 Aug 2022 02:45:53 AM UTC] Verify finished, start to sign.
23
[Fri 19 Aug 2022 02:45:53 AM UTC] Lets finalize the order.
24
[Fri 19 Aug 2022 02:45:53 AM UTC] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/xxxxxxxxxxxxx'
25
[Fri 19 Aug 2022 02:45:54 AM UTC] Downloading cert.
26
[Fri 19 Aug 2022 02:45:54 AM UTC] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/xxxxxxxxxxxxx'
27
[Fri 19 Aug 2022 02:45:56 AM UTC] Cert success.
28
-----BEGIN CERTIFICATE-----
29
30
-----END CERTIFICATE-----
31
[Fri 19 Aug 2022 02:45:56 AM UTC] Your cert is in: /home/aziz/.acme.sh/*.blogdoang.com/*.blogdoang.com.cer
32
[Fri 19 Aug 2022 02:45:56 AM UTC] Your cert key is in: /home/aziz/.acme.sh/*.blogdoang.com/*.blogdoang.com.key
33
[Fri 19 Aug 2022 02:45:56 AM UTC] The intermediate CA cert is in: /home/aziz/.acme.sh/*.blogdoang.com/ca.cer
34
[Fri 19 Aug 2022 02:45:56 AM UTC] And the full chain certs is there: /home/aziz/.acme.sh/*.blogdoang.com/fullchain.cer