Log InSign UpSend Feedback

Set Up a TLS Certificate using acme.sh and IONOS Cloud DNS

This tutorial will guide you through the process of setting up a TLS certificate using acme.sh and IONOS Cloud DNS. By following these steps, you will be able to secure your web server with a valid TLS certificate issued by ZeroSSL.

Target audience

This tutorial is intended to help both developers and technical decision-makers.

What you will learn

You will learn how to use acme.sh with IONOS Cloud DNS to obtain and install a TLS certificate for your domain. The tutorial covers configuring DNS API credentials, issuing the certificate, and setting up automatic renewal for ongoing security.

Before you begin

You must have the following:

  • An IONOS account.

  • A domain name registered and managed by IONOS Cloud DNS.

  • A primary zone with a Start of Authority (SOA) record. The SOA record is essential as it indicates the domain's primary DNS server, the domain administrator's email, the domain serial number, and several timers relating to refreshing the primary zone.

  • An acme.sh installed on your system. If not, you can install it by following the instructions on the acme.sh GitHub page.

Procedure

1

Install acme.sh

If you have not installed acme.sh, you can do so using the following command:

curl https://get.acme.sh | sh
2

Add acme.sh to your PATH

If acme.sh is not found, add it to your PATH. Add the following line to your shell configuration file. Example: .zshrc for Zsh or .bashrc for Bash.

```bash
export PATH="$HOME/.acme.sh:$PATH"
```

After executing this command, reload your shell configuration.

For `Bash`: 
```bash
source ~/.bashrc
```

For `Zsh`:

```bash
source ~/.zshrc
```
3

Set Up IONOS Cloud DNS API Credentials

You need to set up your IONOS Cloud DNS API credentials. Export the IONOS_TOKEN as an enviornment variable:

Note: Replace IONOS Cloud Token with your actual IONOS Cloud token. For more information on managing authentication tokens, see Token Manager.

```bash
export IONOS_TOKEN="<IONOS Cloud Token>"
```
4

Configure the DNS API in acme.sh

Configure acme.sh to use the IONOS Cloud DNS API:

```bash
acme.sh --set-default-ca --server zerossl
acme.sh --register-account --accountemail "[email protected]"
```

Replace [email protected] with your IONOS Cloud registered email address. While this tutorial uses ZeroSSL as the default CA, acme.sh supports other CAs, such as Let's Encrypt. You can change the CA by using the --server option with the appropriate CA URL. For example, to use Let's Encrypt, you can set the server option as follows:

```bash
acme.sh --set-default-ca --server letsencrypt
```
5

Issue a Certificate Using acme.sh

Use acme.sh to issue a certificate for your domain:

Note: Replace yourdomain.com with your actual domain name.

```bash
acme.sh --issue --dns dns_ionos_cloud -d yourdomain.com
```
6

Install the Certificate

Once the certificate is issued, you can install it using the following command:

Note: Replace /path/to/your/private.key and /path/to/your/fullchain.pem with the actual paths where you want to store the certificate and key files.

```bash
acme.sh --install-cert -d yourdomain.com \
--key-file /path/to/your/private.key \
--fullchain-file /path/to/your/fullchain.pem
```
7

Configure Your Web Server

Update your web server configuration to use the new certificate. For example, if you are using Nginx, update your configuration file as follows:

Note: Replace /path/to/your/private.key and /path/to/your/fullchain.pem with the actual paths where you want to store the certificate and key files.

```bash
server {
    listen 443 ssl;
    server_name yourdomain.com;

    ssl_certificate /path/to/your/fullchain.pem;
    ssl_certificate_key /path/to/your/private.key;

...

}
```
8

Restart Your Web Server

Restart your web server to apply the changes. For Nginx, use:

```bash
sudo systemctl restart nginx
```
9

Verify the Certificate

Open a web browser and navigate to https://yourdomain.com to verify that the certificate is correctly installed and the connection is secure.

10

Automatic Renewal

The certificate will be automatically renewed by acme.sh every 60 days. However, you can also force to renew a cert:

```bash
acme.sh --renew -d yourdomain.com --force
```

or, for ECC cert:

```bash
acme.sh --renew -d yourdomain.com --force --ecc
```

Final result

Your web server will be secured with a valid TLS certificate issued by ZeroSSL and managed via IONOS Cloud DNS. You can confirm the certificate is active by visiting your domain in a browser and checking for a secure HTTPS connection. Your certificate will renew automatically, ensuring ongoing security with minimal maintenance.

Conclusion

You have successfully set up a TLS certificate using acme.sh and IONOS Cloud DNS. This ensures that your web server is secure and your data is protected.

For more information, refer to the acme.sh documentation and the IONOS Cloud DNS API.

PreviousIssue TLS Certificates using IONOS Cloud Certbot PluginNextManage TLS Certificates using IONOS Cloud DNS Webhook for cert-manager

Last updated

Was this helpful?