Generate Let’s Encrypt SSL Certificate without Webserver
We will use acme.sh with Cloudflare DNS API to generate a wildcard SSL Certificate from Let’s Encrypt for our domain. We also will use Cloud Shell free Linux shell virtual machine instance provided by Google Cloud.
Note: Make sure that you have already added your domain to Cloudflare.
-
Log in to Google Cloud Console and activate Cloud Shell
-
Install acme.sh
curl https://get.acme.sh | sh -s [email protected]
-
Setup Cloudflare global API key, but first you need to log in to your Cloudflare account to get your API key.
export CF_Key="sdfsdfsdfljlbjkljlkjsdfoiwje" export CF_Email="[email protected]"
If you want to use another DNS API, you can check for the details in acme.sh documentation
-
Issue a wildcard SSL certificate using Let’s Encrypt provider
acme.sh --issue -d '*.example.com' --dns dns_cf --server letsencrypt
-
The example output for generating a wildcard SSL certificate
aziz@cloudshell:~ (my-project-id-xxx)$ acme.sh --issue -d '*.blogdoang.com' --dns dns_cf --server letsencrypt [Fri 19 Aug 2022 02:45:15 AM UTC] Using CA: https://acme-v02.api.letsencrypt.org/directory [Fri 19 Aug 2022 02:45:15 AM UTC] Single domain='*.blogdoang.com' [Fri 19 Aug 2022 02:45:15 AM UTC] Getting domain auth token for each domain [Fri 19 Aug 2022 02:45:18 AM UTC] Getting webroot for domain='*.blogdoang.com' [Fri 19 Aug 2022 02:45:18 AM UTC] Adding txt value: xxxxxxxxxxxxxxxxxxxxxxxxxx for domain: _acme-challenge.blogdoang.com [Fri 19 Aug 2022 02:45:22 AM UTC] Adding record [Fri 19 Aug 2022 02:45:23 AM UTC] Added, OK [Fri 19 Aug 2022 02:45:23 AM UTC] The txt record is added: Success. [Fri 19 Aug 2022 02:45:23 AM UTC] Let's check each DNS record now. Sleep 20 seconds first. [Fri 19 Aug 2022 02:45:44 AM UTC] You can use '--dnssleep' to disable public dns checks. [Fri 19 Aug 2022 02:45:44 AM UTC] See: https://github.com/acmesh-official/acme.sh/wiki/dnscheck [Fri 19 Aug 2022 02:45:44 AM UTC] Checking blogdoang.com for _acme-challenge.blogdoang.com [Fri 19 Aug 2022 02:45:44 AM UTC] Domain blogdoang.com '_acme-challenge.blogdoang.com' success. [Fri 19 Aug 2022 02:45:44 AM UTC] All success, let's return [Fri 19 Aug 2022 02:45:44 AM UTC] Verifying: *.blogdoang.com [Fri 19 Aug 2022 02:45:45 AM UTC] Pending, The CA is processing your order, please just wait. (1/30) [Fri 19 Aug 2022 02:45:49 AM UTC] Success [Fri 19 Aug 2022 02:45:49 AM UTC] Removing DNS records. [Fri 19 Aug 2022 02:45:49 AM UTC] Removing txt: xxxxxxxxxxxxxxxxxxxxxxxxxx for domain: _acme-challenge.blogdoang.com [Fri 19 Aug 2022 02:45:53 AM UTC] Removed: Success [Fri 19 Aug 2022 02:45:53 AM UTC] Verify finished, start to sign. [Fri 19 Aug 2022 02:45:53 AM UTC] Lets finalize the order. [Fri 19 Aug 2022 02:45:53 AM UTC] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/xxxxxxxxxxxxx' [Fri 19 Aug 2022 02:45:54 AM UTC] Downloading cert. [Fri 19 Aug 2022 02:45:54 AM UTC] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/xxxxxxxxxxxxx' [Fri 19 Aug 2022 02:45:56 AM UTC] Cert success. -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- [Fri 19 Aug 2022 02:45:56 AM UTC] Your cert is in: /home/aziz/.acme.sh/*.blogdoang.com/*.blogdoang.com.cer [Fri 19 Aug 2022 02:45:56 AM UTC] Your cert key is in: /home/aziz/.acme.sh/*.blogdoang.com/*.blogdoang.com.key [Fri 19 Aug 2022 02:45:56 AM UTC] The intermediate CA cert is in: /home/aziz/.acme.sh/*.blogdoang.com/ca.cer [Fri 19 Aug 2022 02:45:56 AM UTC] And the full chain certs is there: /home/aziz/.acme.sh/*.blogdoang.com/fullchain.cer
Read other posts