I normally use Certbot to issue and install the free Let’s Encrypt certificates. But I haven’t found a, or there is no, convenient way to issue ECC-certificates with Certbot. For that reason I switched from Certbot to acme.sh.
With acme.sh I can generate ECC certificates, without having to generate all kinds of extra files before I receive the right type of certificate.
So here’s what I did to change from Certbot issuing my certificates, to acme.sh. I use nginx as a webserver, and I have to make some changes in the config as well.
Install acme.sh
wget -O - https://get.acme.sh | shRevoke the current certificate from Certbot
Next, I revoke the certificate I’m currently using from Certbot.
certbot revoke --cert-path /etc/letsencrypt/archive/blog.casakampa.nl/cert1.pemIssue a new certificate
I use acme.sh to issue a new certificate, which will be later used by nginx to encrypt the connection between browser and server. I use an elliptic curve (ec-384) to create an ECC-certificate.
acme.sh --issue -d blog.casakampa.nl --keylength ec-384 -w /home/mvandek/blog.casakampa.nlChange the virtual host config of nginx
nano /etc/nginx/sites-enabled/ssl.blog.casakampa.nlThere I find these rules:
ssl_certificate /etc/letsencrypt/live/blog.casakampa.nl/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/blog.casakampa.nl/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/blog.casakampa.nl/chain.pem;I changed them into:
ssl_certificate /etc/ssl/acme/blog.casakampa.nl/ecc-fullchain.pem;
ssl_certificate_key /etc/ssl/acme/blog.casakampa.nl/ecc-key.pem;
ssl_trusted_certificate /etc/ssl/acme/blog.casakampa.nl/ecc-cert.pem;Do not restart nginx. The ‘old’ Certbot certificates are still used by nginx, so you still can connect to the website, even while the certificates are already revoked.
Now you have to create the folder in which the new certificates will be installed, and from where nginx will load the new issued certificates.
Create directory for certificates
First, create a folder called acme inside /etc/ssl/. Then, accordingly to the domain name, create a folder where the certificates will be stored. In this case, that folder will be named blog.casakampa.nl.
In short:
mkdir -p /etc/ssl/acme/blog.casakampa.nlInstall the issued certificates
The following code will install the certificate for the domain blog.casakampa.nl. It knows it’s an ECC-certificate because of the –ecc parameter. When the files are installed, nginx will be restarted to load the new certificates.
acme.sh --install-cert -d blog.casakampa.nl --ecc \
--cert-file /etc/ssl/acme/blog.casakampa.nl/ecc-cert.pem \
--key-file /etc/ssl/acme/blog.casakampa.nl/ecc-key.pem \
--fullchain-file /etc/ssl/acme/blog.casakampa.nl/ecc-fullchain.pem \
--reloadcmd "systemctl restart nginx.service"