Set Up a TLS Certificate using acme.sh and IONOS Cloud DNS
This tutorial will guide you through the process of setting up a TLS certificate using acme.sh
and IONOS Cloud DNS. By following these steps, you will be able to secure your web server with a valid TLS certificate issued by ZeroSSL.
Prerequisites
You must have an IONOS account.
You must have a domain name registered and managed by IONOS Cloud DNS.
Your primary zone has an Start of Authority (SOA) record. The SOA record is essential as it indicates the domain's primary DNS server, the domain administrator's email, the domain serial number, and several timers relating to refreshing the primary zone.
You have
acme.sh
installed on your system. If not, you can install it by following the instructions on the acme.sh GitHub page.
Steps
Install
acme.sh
If you have not installed
acme.sh
, you can do so using the following command:curl https://get.acme.sh | sh
Add
acme.sh
to your PATHIf acme.sh is not found, add it to your
PATH
. Add the following line to your shell configuration file. Example:.zshrc
forZsh
or.bashrc
forBash
.export PATH="$HOME/.acme.sh:$PATH"
After executing this command, reload your shell configuration.
For
Bash
:source ~/.bashrc
For
Zsh
:source ~/.zshrc
Set Up IONOS Cloud DNS API Credentials
You need to set up your IONOS Cloud DNS API credentials. Export the
IONOS_TOKEN
as an enviornment variable:export IONOS_TOKEN="<IONOS Cloud Token>"
Replace
IONOS Cloud Token
with your actual IONOS Cloud token. For more information on managing authentication tokens, see Token Manager.Configure the DNS API in
acme.sh
Configure
acme.sh
to use the IONOS Cloud DNS API:acme.sh --set-default-ca --server zerossl acme.sh --register-account --accountemail "[email protected]"
Replace
[email protected]
with your IONOS Cloud registered email address.While this tutorial uses ZeroSSL as the default CA,
acme.sh
supports other CAs, such as Let's Encrypt. You can change the CA by using the--server
option with the appropriate CA URL. For example, to use Let's Encrypt, you can set the server option as follows:acme.sh --set-default-ca --server letsencrypt
Issue a Certificate Using
acme.sh
Use
acme.sh
to issue a certificate for your domain:acme.sh --issue --dns dns_ionos_cloud -d yourdomain.com
Replace
yourdomain.com
with your actual domain name.Install the Certificate
Once the certificate is issued, you can install it using the following command:
acme.sh --install-cert -d yourdomain.com \ --key-file /path/to/your/private.key \ --fullchain-file /path/to/your/fullchain.pem
Replace
/path/to/your/private.key
and/path/to/your/fullchain.pem
with the actual paths where you want to store the certificate and key files.Configure Your Web Server
Update your web server configuration to use the new certificate. For example, if you are using
Nginx
, update your configuration file as follows:server { listen 443 ssl; server_name yourdomain.com; ssl_certificate /path/to/your/fullchain.pem; ssl_certificate_key /path/to/your/private.key; ... }
Replace
/path/to/your/private.key
and/path/to/your/fullchain.pem
with the actual paths where you want to store the certificate and key files.Restart Your Web Server
Restart your web server to apply the changes. For Nginx, use:
sudo systemctl restart nginx
Verify the Certificate
Open a web browser and navigate to
https://yourdomain.com
to verify that the certificate is correctly installed and the connection is secure.Automatic Renewal
The certificate will be automatically renewed by
acme.sh
every 60 days. However, you can also force to renew a cert:acme.sh --renew -d yourdomain.com --force
or, for ECC cert:
acme.sh --renew -d yourdomain.com --force --ecc
Conclusion
You have successfully set up a TLS certificate using acme.sh
and IONOS Cloud DNS. This ensures that your web server is secure and your data is protected.
For more information, refer to the acme.sh documentation and the IONOS Cloud DNS API.
Last updated
Was this helpful?