Switch from Certbot to acme.sh

I normally use Certbot to issue and install the free Let’s Encrypt certificates. But I haven’t found a, or there is no, convenient way to issue ECC-certificates with Certbot. For that reason I switched from Certbot to acme.sh.

With acme.sh I can generate ECC certificates, without having to generate all kinds of extra files before I receive the right type of certificate.

So here’s what I did to change from Certbot issuing my certificates, to acme.sh. I use nginx as a webserver, and I have to make some changes in the config as well.

Install acme.sh

wget -O -  https://get.acme.sh | sh

Revoke the current certificate from Certbot

Next, I revoke the certificate I’m currently using from Certbot.

certbot revoke --cert-path /etc/letsencrypt/archive/blog.casakampa.nl/cert1.pem

Issue a new certificate

I use acme.sh to issue a new certificate, which will be later used by nginx to encrypt the connection between browser and server. I use an elliptic curve (ec-384) to create an ECC-certificate.

acme.sh --issue -d blog.casakampa.nl --keylength ec-384 -w /home/mvandek/blog.casakampa.nl

Change the virtual host config of nginx

nano /etc/nginx/sites-enabled/ssl.blog.casakampa.nl

There I find these rules:

ssl_certificate /etc/letsencrypt/live/blog.casakampa.nl/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/blog.casakampa.nl/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/blog.casakampa.nl/chain.pem;

I changed them into:

ssl_certificate /etc/ssl/acme/blog.casakampa.nl/ecc-fullchain.pem;
ssl_certificate_key /etc/ssl/acme/blog.casakampa.nl/ecc-key.pem;
ssl_trusted_certificate /etc/ssl/acme/blog.casakampa.nl/ecc-cert.pem;

Do not restart nginx. The ‘old’ Certbot certificates are still used by nginx, so you still can connect to the website, even while the certificates are already revoked.

Now you have to create the folder in which the new certificates will be installed, and from where nginx will load the new issued certificates.

Create directory for certificates

First, create a folder called acme inside /etc/ssl/. Then, accordingly to the domain name, create a folder where the certificates will be stored. In this case, that folder will be named blog.casakampa.nl.

In short:

mkdir -p /etc/ssl/acme/blog.casakampa.nl

Install the issued certificates

The following code will install the certificate for the domain blog.casakampa.nl. It knows it’s an ECC-certificate because of the –ecc parameter. When the files are installed, nginx will be restarted to load the new certificates.

acme.sh --install-cert -d blog.casakampa.nl --ecc \
--cert-file /etc/ssl/acme/blog.casakampa.nl/ecc-cert.pem \
--key-file /etc/ssl/acme/blog.casakampa.nl/ecc-key.pem \
--fullchain-file /etc/ssl/acme/blog.casakampa.nl/ecc-fullchain.pem \
--reloadcmd "systemctl restart nginx.service"