1 of 1

Set Up a TLS Certificate using acme.sh and IONOS Cloud DNS

This tutorial will guide you through the process of setting up a TLS certificate using acme.sh and IONOS Cloud DNS. By following these steps, you will be able to secure your web server with a valid TLS certificate issued by ZeroSSL.

Prerequisites

You must have an IONOS account.
You must have a domain name registered and managed by IONOS Cloud DNS.
Your DNS zone has an Start of Authority (SOA) record. The SOA record is essential as it indicates the domain's primary DNS server, the domain administrator's email, the domain serial number, and several timers relating to refreshing the zone.
You have acme.sh installed on your system. If not, you can install it by following the instructions on the acme.sh GitHub page.

Steps

Install acme.sh
If you have not installed acme.sh, you can do so using the following command:
```
curl https://get.acme.sh | sh
```
Add acme.sh to your PATH
If acme.sh is not found, add it to your PATH. Add the following line to your shell configuration file. Example: .zshrc for Zsh or .bashrc for Bash.
```
export PATH="$HOME/.acme.sh:$PATH"
```
After executing this command, reload your shell configuration.
For Bash:
```
source ~/.bashrc
```
For Zsh:
```
source ~/.zshrc
```
Set Up IONOS Cloud DNS API Credentials
You need to set up your IONOS Cloud DNS API credentials. Export the IONOS_TOKEN as an enviornment variable:
```
export IONOS_TOKEN="<IONOS Cloud Token>"
```
Replace IONOS Cloud Token with your actual IONOS Cloud token. For more information on managing authentication tokens, see Token Management Guide.
Configure the DNS API in acme.sh
Configure acme.sh to use the IONOS Cloud DNS API:
```
acme.sh --set-default-ca --server zerossl
acme.sh --register-account --accountemail "your_email@example.com"
```
Replace your_email@example.com with your IONOS Cloud registered email address.
While this tutorial uses ZeroSSL as the default CA, acme.sh supports other CAs, such as Let's Encrypt. You can change the CA by using the --server option with the appropriate CA URL. For example, to use Let's Encrypt, you can set the server option as follows:
```
acme.sh --set-default-ca --server letsencrypt
```
Issue a Certificate Using acme.sh
Use acme.sh to issue a certificate for your domain:
```
acme.sh --issue --dns dns_ionos_cloud -d yourdomain.com
```
Replace yourdomain.com with your actual domain name.
Install the Certificate
Once the certificate is issued, you can install it using the following command:
```
acme.sh --install-cert -d yourdomain.com \
--key-file /path/to/your/private.key \
--fullchain-file /path/to/your/fullchain.pem
```
Replace /path/to/your/private.key and /path/to/your/fullchain.pem with the actual paths where you want to store the certificate and key files.
Configure Your Web Server
Update your web server configuration to use the new certificate. For example, if you are using Nginx, update your configuration file as follows:
```
server {
    listen 443 ssl;
    server_name yourdomain.com;

    ssl_certificate /path/to/your/fullchain.pem;
    ssl_certificate_key /path/to/your/private.key;

...

}
```
Replace /path/to/your/private.key and /path/to/your/fullchain.pem with the actual paths where you want to store the certificate and key files.
Restart Your Web Server
Restart your web server to apply the changes. For Nginx, use:
```
sudo systemctl restart nginx
```
Verify the Certificate
Open a web browser and navigate to https://yourdomain.com to verify that the certificate is correctly installed and the connection is secure.
Automatic Renewal
The certificate will be automatically renewed by acme.sh every 60 days. However, you can also force to renew a cert:
```
acme.sh --renew -d yourdomain.com --force
```
or, for ECC cert:
```
acme.sh --renew -d yourdomain.com --force --ecc
```

Conclusion

You have successfully set up a TLS certificate using acme.sh and IONOS Cloud DNS. This ensures that your web server is secure and your data is protected.

For more information, refer to the acme.sh documentation and the IONOS Cloud DNS API.

Set Up a TLS Certificate using acme.sh and IONOS Cloud DNS

Prerequisites

You must have an IONOS account.
You must have a domain name registered and managed by IONOS Cloud DNS.
Your DNS zone has an Start of Authority (SOA) record. The SOA record is essential as it indicates the domain's primary DNS server, the domain administrator's email, the domain serial number, and several timers relating to refreshing the zone.
You have acme.sh installed on your system. If not, you can install it by following the instructions on the acme.sh GitHub page.

Steps

Install acme.sh
If you have not installed acme.sh, you can do so using the following command:
```
curl https://get.acme.sh | sh
```
Add acme.sh to your PATH
If acme.sh is not found, add it to your PATH. Add the following line to your shell configuration file. Example: .zshrc for Zsh or .bashrc for Bash.
```
export PATH="$HOME/.acme.sh:$PATH"
```
After executing this command, reload your shell configuration.
For Bash:
```
source ~/.bashrc
```
For Zsh:
```
source ~/.zshrc
```
Set Up IONOS Cloud DNS API Credentials
You need to set up your IONOS Cloud DNS API credentials. Export the IONOS_TOKEN as an enviornment variable:
```
export IONOS_TOKEN="<IONOS Cloud Token>"
```
Replace IONOS Cloud Token with your actual IONOS Cloud token. For more information on managing authentication tokens, see Token Management Guide.
Configure the DNS API in acme.sh
Configure acme.sh to use the IONOS Cloud DNS API:
```
acme.sh --set-default-ca --server zerossl
acme.sh --register-account --accountemail "your_email@example.com"
```
Replace your_email@example.com with your IONOS Cloud registered email address.
While this tutorial uses ZeroSSL as the default CA, acme.sh supports other CAs, such as Let's Encrypt. You can change the CA by using the --server option with the appropriate CA URL. For example, to use Let's Encrypt, you can set the server option as follows:
```
acme.sh --set-default-ca --server letsencrypt
```
Issue a Certificate Using acme.sh
Use acme.sh to issue a certificate for your domain:
```
acme.sh --issue --dns dns_ionos_cloud -d yourdomain.com
```
Replace yourdomain.com with your actual domain name.
Install the Certificate
Once the certificate is issued, you can install it using the following command:
```
acme.sh --install-cert -d yourdomain.com \
--key-file /path/to/your/private.key \
--fullchain-file /path/to/your/fullchain.pem
```
Replace /path/to/your/private.key and /path/to/your/fullchain.pem with the actual paths where you want to store the certificate and key files.
Configure Your Web Server
Update your web server configuration to use the new certificate. For example, if you are using Nginx, update your configuration file as follows:
```
server {
    listen 443 ssl;
    server_name yourdomain.com;

    ssl_certificate /path/to/your/fullchain.pem;
    ssl_certificate_key /path/to/your/private.key;

...

}
```
Replace /path/to/your/private.key and /path/to/your/fullchain.pem with the actual paths where you want to store the certificate and key files.
Restart Your Web Server
Restart your web server to apply the changes. For Nginx, use:
```
sudo systemctl restart nginx
```
Verify the Certificate
Open a web browser and navigate to https://yourdomain.com to verify that the certificate is correctly installed and the connection is secure.
Automatic Renewal
The certificate will be automatically renewed by acme.sh every 60 days. However, you can also force to renew a cert:
```
acme.sh --renew -d yourdomain.com --force
```
or, for ECC cert:
```
acme.sh --renew -d yourdomain.com --force --ecc
```

Conclusion

You have successfully set up a TLS certificate using acme.sh and IONOS Cloud DNS. This ensures that your web server is secure and your data is protected.

For more information, refer to the acme.sh documentation and the IONOS Cloud DNS API.