login
  1. Home
  2. Knowledgbase
  3. How to Deploy SSL Certificates with Acme.sh - Step by Step Guide

How to Deploy SSL Certificates with Acme.sh - Step by Step Guide

Mar 26, 2026

What is This Guide About?

This guide will help you set up and use Acme.sh to get free SSL certificates for your website. SSL certificates make your website secure (the padlock icon in the browser) and are essential for any modern website.

Before you start: Make sure you have already installed Acme.sh on your server. If you have not, you will need to do that first.

Quick Setup for cPanel Users

If you use cPanel hosting and have SSH access, this is the easiest way to get started.

What You'll Need

  • SSH access to your cPanel account
  • Your cPanel username and server address
  • Your email address

Step-by-Step Instructions

Step 1: Connect to Your Server

a. Log in to your cPanel account, go to the Advanced section, and click on Terminal.

b. Alternatively, if you do not see the Terminal option in cPanel, you can connect using any SSH client (for example, PuTTY or OpenSSH). Use your server's IP address as the Host Name, and enter your cPanel username and password to log in.

* To install acme.sh, please refer to the Installation Guide here: [Link].

???? Note In cPanel, acme.sh or any similar tool will be installed in your home directory.

Step 2: Set Up Your Configuration

You need to provide some important information. Copy these lines and replace the XXXX parts with your actual details:

export ACME_SERVER="https://demo.acme-server.com/directory"
export EAB_KEY="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
export HMAC_KEY="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
export EMAIL="admin@example.com"
export CF_Token="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"

What these mean:

VariableDescription
ACME_SERVERThe address of your SSL certificate provider
EAB_KEYYour unique identification key (get this from your provider)
HMAC_KEYYour secure password key (get this from your provider)
EMAILYour email address for notifications
CF_TokenYour Cloudflare security token (if using Cloudflare)

Step 3: Register Your Account

Register with the certificate provider:

acme.sh --register-account \
  --server "$ACME_SERVER" \
  --eab-kid "$EAB_KEY" \
  --eab-hmac-key "$HMAC_KEY"

This creates your account with the SSL certificate provider.

Step 4: Get and Install Your Certificate

Now get your SSL certificate and install it automatically:

acme.sh --issue \
  --server "$ACME_SERVER" \
  --dns dns_cf \
  -d cptest.example.com \
  --deploy-hook cpanel_uapi

Replace cptest.example.com with your actual domain name.

What happens here:

  • Acme.sh requests a certificate for your domain
  • It proves you own the domain using DNS records
  • The certificate is automatically installed in cPanel

Step 5: Test Automatic Renewal

Your certificate will automatically renew, but you can test it:

acme.sh --renew -d cptest.example.com --force

Step 6: Verify the Scheduled Renewal Job

Check that automatic renewal is set up:

crontab -l | grep acme.sh

You should see a scheduled task that will run automatically to renew your certificate.

Step 7: Install Certificate to Domain

acme.sh --deploy -d cptest.demo.com --deploy-hook cpanel_uapi

This command connects to the cPanel Universal API (cpanel_uapi) and deploys the SSL certificate for cptest.demo.com to its respective domain.

???? Note You can run the certificate issue/renew together with the deployment command in a single step:

acme.sh --issue --server "$ACME_SERVER" --dns dns_cf -d cptest.example.com --deploy-hook cpanel_uapi

Getting SSL Certificates for Different Domain Types

Option 1: Single Domain Certificate

This is for one website address (like www.example.com):

source ~/.acme.sh/config/acme-server.env
acme.sh --issue \
  --server "$ACME_SERVER" \
  --dns dns_cf \
  -d demo.example.com

Option 2: Multiple Domains in One Certificate

If you want one certificate to cover several related domains:

acme.sh --issue \
  --server "$ACME_SERVER" \
  --dns dns_cf \
  -d demo.example.com \
  -d www.demo.example.com \
  -d mail.demo.example.com \
  -d api.demo.example.com

Use this when: You have multiple subdomains that belong together (like www, mail, and api).

Option 3: Wildcard Certificate

This covers ALL possible subdomains under your main domain:

acme.sh --issue \
  --server "$ACME_SERVER" \
  --dns dns_cf \
  -d "*.example.com" \
  -d example.com

Use this when: You have many subdomains or create them frequently.

Example: One certificate covers blog.example.com, shop.example.com, mail.example.com, etc.

Option 4: Wildcard + Specific Domains Combined

Combine wildcard with specific domains:

acme.sh --issue \
  --server "$ACME_SERVER" \
  --dns dns_cf \
  -d "*.example.com" \
  -d example.com \
  -d www.example.com \
  -d mail.example.com

Where Are Your Certificates Stored?

After getting a certificate, Acme.sh saves several files in a folder:

~/.acme.sh/demo.example.com/
??? ca.cer                    # Intermediate certificate
??? demo.example.com.cer      # Your main certificate
??? demo.example.com.key      # Private key (KEEP SECRET!)
??? fullchain.cer             # Complete certificate chain
??? demo.example.com.conf     # Settings file

Important Files Explained

FileDescription
fullchain.cerUse this for most web servers (Apache, Nginx). Contains your complete certificate with all necessary parts.
demo.example.com.keyKEEP THIS SECRET. This is your private key. Never share it or upload it to public places.
demo.example.com.cerYour main certificate only (without intermediate certificates).
ca.cerIntermediate certificate from the certificate authority.
demo.example.com.confAcme.sh settings file for this domain (renewal config, hooks, etc.).

Installing Certificates on Your Web Server

For Apache Web Server

Step 1: Install the Certificate Files

acme.sh --install-cert \
  -d demo.example.com \
  --cert-file      /etc/ssl/certs/demo.example.com.cer \
  --key-file       /etc/ssl/private/demo.example.com.key \
  --fullchain-file /etc/ssl/certs/fullchain.cer \
  --reloadcmd      "systemctl reload apache2"

This copies your certificate to the right locations and restarts Apache automatically.

Step 2: Configure Apache to Use SSL

This creates a secure website configuration:

sudo tee /etc/apache2/sites-available/demo.example.com-ssl.conf > /dev/null << 'EOF'
<VirtualHost *:443>
    ServerName   demo.example.com
    ServerAdmin  admin@demo.example.com
    DocumentRoot /var/www/demo.example.com

    SSLEngine on
    SSLCertificateFile      /etc/ssl/certs/demo.example.com.cer
    SSLCertificateKeyFile   /etc/ssl/private/demo.example.com.key
    SSLCertificateChainFile /etc/ssl/certs/fullchain.cer

    SSLProtocol -all +TLSv1.2 +TLSv1.3
</VirtualHost>
EOF

Step 3: Activate the Configuration

sudo a2enmod ssl headers
sudo a2ensite demo.example.com-ssl
sudo systemctl reload apache2

What this does:

  • Enables SSL and security headers
  • Activates your new secure site
  • Restarts Apache to apply changes

For Nginx Web Server

Step 1: Install the Certificate Files

acme.sh --install-cert \
  -d demo.example.com \
  --cert-file      /etc/ssl/certs/demo.example.com.cer \
  --key-file       /etc/ssl/private/demo.example.com.key \
  --fullchain-file /etc/ssl/certs/fullchain.cer \
  --reloadcmd      "systemctl reload nginx"

Step 2: Configure Nginx for SSL

sudo tee /etc/nginx/sites-available/demo.example.com > /dev/null << 'EOF'
server {
    listen 443 ssl http2;
    server_name demo.example.com;

    ssl_certificate     /etc/ssl/certs/fullchain.cer;
    ssl_certificate_key /etc/ssl/private/demo.example.com.key;

    ssl_protocols TLSv1.2 TLSv1.3;
}

# HTTP to HTTPS redirect
server {
    listen 80;
    server_name demo.example.com;
    return 301 https://$host$request_uri;
}
EOF

This configuration also automatically redirects visitors from HTTP to HTTPS.

Step 3: Activate and Test

sudo nginx -t
sudo systemctl reload nginx

The first command checks if your configuration is correct. The second restarts Nginx.

Monitoring Your Certificates

View All Your Certificates

acme.sh --list

This shows all domains with certificates and their expiry dates.

Get Detailed Information About a Specific Certificate

acme.sh --info -d demo.example.com

This shows:

  • Domain name
  • Next renewal date
  • Server configuration
  • Deployment settings

Check When Your Certificate Expires

echo | openssl s_client -connect demo.example.com:443 -servername demo.example.com 2>/dev/null | openssl x509 -noout -dates

This shows the certificate start and end dates. Example output:

notBefore=Feb  9 10:00:00 2026 GMT
notAfter=May  10 10:00:00 2026 GMT

Multiple EAB Accounts (Optional)

Acme.sh supports managing multiple EAB accounts using different working directories. If your server hosts multiple websites and you need to install a separate Single Domain SSL certificate for each domain using different EAB accounts, this option is helpful.

To manage multiple EAB accounts on the same web server, you should create separate working directories for acme.sh. This allows each account to store and manage its own certificates independently, keeping everything organized and avoiding conflicts.

Account 1 (default)

export LE_WORKING_DIR="$HOME/.acme.sh.account1"
export EAB_KEY="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX_account1"
export HMAC_KEY="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX_account1"

acme.sh --register-account \
  --server "$ACME_SERVER" \
  --eab-kid "$EAB_KEY" \
  --eab-hmac-key "$HMAC_KEY"

Account 2

export LE_WORKING_DIR="$HOME/.acme.sh.account2"
export EAB_KEY="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX_account2"
export HMAC_KEY="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX_account2"

acme.sh --register-account \
  --server "$ACME_SERVER" \
  --eab-kid "$EAB_KEY" \
  --eab-hmac-key "$HMAC_KEY"

Issue Certificate with a Specific Account

export LE_WORKING_DIR="$HOME/.acme.sh.account1"
acme.sh --issue --server "$ACME_SERVER" --dns dns_cf -d example.com

Troubleshooting Common Problems

Problem 1: DNS Not Working

SymptomsCertificate fails to issue, DNS errors in logs
SolutionTest with detailed debugging — the command below shows exactly what is happening with your DNS provider.
acme.sh --issue \
  --server "$ACME_SERVER" \
  --dns dns_cf \
  -d demo.example.com \
  --debug 2

Problem 2: Certificate Request Timing Out

SymptomsProcess takes too long and fails
SolutionIncrease timeout values using the variables below before running the issue command.
export Le_HTTPTimeout=600
export Le_DNSSleep=120
acme.sh --issue \
  --server "$ACME_SERVER" \
  --dns dns_cf \
  -d demo.example.com

What these mean:

  • Le_HTTPTimeout — How long to wait for server responses (600 seconds = 10 minutes)
  • Le_DNSSleep — How long to wait for DNS changes (120 seconds = 2 minutes)

Problem 3: Automatic Renewal Not Working

Check the scheduled job:

crontab -l | grep acme.sh

If nothing appears, the automatic renewal is not set up.

Test renewal manually with debugging:

acme.sh --cron --force --debug 2

This shows any errors preventing automatic renewal.

Pre-Launch Checklist

Before going live with your SSL certificate, verify everything using the checklist below.

Installation Checks

?Acme.sh installed and version shows correctly
?Configuration variables set up
?DNS provider credentials working
?Account registered with certificate provider

Certificate Checks

?Test certificate issued successfully
?Certificate installed on web server
?Web server configured for HTTPS
?Website loads with padlock icon

Automation Checks

?Custom deployment scripts created and tested
?Automatic renewal scheduled (cron job exists)
?Manual renewal test successful
?Deployment hooks run correctly

Security Checks

?Private key files have restricted permissions (600)
?Certificate files readable by web server
?HTTPS redirects working
?Security headers configured

Need Help?

Official Resources

ResourceURL
Acme.sh GitHubhttps://github.com/acmesh-official/acme.sh
Complete Documentationhttps://github.com/acmesh-official/acme.sh/wiki
DNS Provider Setup Guideshttps://github.com/acmesh-official/acme.sh/wiki/dnsapi
Deployment Exampleshttps://github.com/acmesh-official/acme.sh/wiki/deployhooks

Quick Summary

What You've Learned

TopicWhat Was Covered
SSL Certificate InstallationUsing Acme.sh to get free, trusted certificates
Certificate TypesSingle domain, multiple domains, and wildcard certificates
Web Server SetupInstalling certificates on Apache and Nginx
AutomationSetting up automatic renewal so you never forget
MonitoringChecking certificate health and viewing logs
TroubleshootingFixing common problems when they occur

Key Points to Remember

#PointDetail
1Certificates renew automaticallyAcme.sh checks daily and renews 60 days before expiry
2Always use fullchain.cerThis file contains everything your web server needs
3Keep your private key secretNever share or publish the .key file
4Test renewals regularlyRun manual renewal tests to ensure automation works
5Monitor expiry datesEven with automation, check that certificates stay valid
6Backup your configurationRegularly save your Acme.sh folder

What Happens Next?

Once everything is set up:

  1. Your website will show a secure padlock icon
  2. Certificates automatically renew every 60 days
  3. Renewal happens in the background without you doing anything
  4. Your website stays secure 24/7 with no manual work
???? Congratulations!

You have successfully set up automated SSL certificate management for your website.

End of Acme.sh SSL Deployment Guide


Sections

Quick Links

SSL Brands

Https Links

Have any Questions

Call HTTPS

If you have any questions, feel free to call us

Call: +91-22-42978097

sales@https.in