Set Up a TLS Certificate using acme.sh and IONOS Cloud DNS
This tutorial will guide you through the process of setting up a TLS certificate using acme.sh and IONOS Cloud DNS. By following these steps, you will be able to secure your web server with a valid TLS certificate issued by ZeroSSL.
Prerequisites
You must have an IONOS account.
You must have a domain name registered and managed by IONOS Cloud DNS.
Your primary zone has an Start of Authority (SOA) record. The SOA record is essential as it indicates the domain's primary DNS server, the domain administrator's email, the domain serial number, and several timers relating to refreshing the primary zone.
You have
acme.shinstalled on your system. If not, you can install it by following the instructions on the acme.sh GitHub page.
Steps
Install
acme.shIf you have not installed
acme.sh, you can do so using the following command:curl https://get.acme.sh | shAdd
acme.shto your PATHIf acme.sh is not found, add it to your
PATH. Add the following line to your shell configuration file. Example:.zshrcforZshor.bashrcforBash.export PATH="$HOME/.acme.sh:$PATH"After executing this command, reload your shell configuration.
For
Bash:source ~/.bashrcFor
Zsh:source ~/.zshrcSet Up IONOS Cloud DNS API Credentials
You need to set up your IONOS Cloud DNS API credentials. Export the
IONOS_TOKENas an enviornment variable:export IONOS_TOKEN="<IONOS Cloud Token>"Replace
IONOS Cloud Tokenwith your actual IONOS Cloud token. For more information on managing authentication tokens, see Token Manager.Configure the DNS API in
acme.shConfigure
acme.shto use the IONOS Cloud DNS API:acme.sh --set-default-ca --server zerossl acme.sh --register-account --accountemail "[email protected]"Replace
[email protected]with your IONOS Cloud registered email address.While this tutorial uses ZeroSSL as the default CA,
acme.shsupports other CAs, such as Let's Encrypt. You can change the CA by using the--serveroption with the appropriate CA URL. For example, to use Let's Encrypt, you can set the server option as follows:acme.sh --set-default-ca --server letsencryptIssue a Certificate Using
acme.shUse
acme.shto issue a certificate for your domain:acme.sh --issue --dns dns_ionos_cloud -d yourdomain.comReplace
yourdomain.comwith your actual domain name.Install the Certificate
Once the certificate is issued, you can install it using the following command:
acme.sh --install-cert -d yourdomain.com \ --key-file /path/to/your/private.key \ --fullchain-file /path/to/your/fullchain.pemReplace
/path/to/your/private.keyand/path/to/your/fullchain.pemwith the actual paths where you want to store the certificate and key files.Configure Your Web Server
Update your web server configuration to use the new certificate. For example, if you are using
Nginx, update your configuration file as follows:server { listen 443 ssl; server_name yourdomain.com; ssl_certificate /path/to/your/fullchain.pem; ssl_certificate_key /path/to/your/private.key; ... }Replace
/path/to/your/private.keyand/path/to/your/fullchain.pemwith the actual paths where you want to store the certificate and key files.Restart Your Web Server
Restart your web server to apply the changes. For Nginx, use:
sudo systemctl restart nginxVerify the Certificate
Open a web browser and navigate to
https://yourdomain.comto verify that the certificate is correctly installed and the connection is secure.Automatic Renewal
The certificate will be automatically renewed by
acme.shevery 60 days. However, you can also force to renew a cert:acme.sh --renew -d yourdomain.com --forceor, for ECC cert:
acme.sh --renew -d yourdomain.com --force --ecc
Conclusion
You have successfully set up a TLS certificate using acme.sh and IONOS Cloud DNS. This ensures that your web server is secure and your data is protected.
For more information, refer to the acme.sh documentation and the IONOS Cloud DNS API.
Last updated
Was this helpful?