Set Up a TLS Certificate using acme.sh and IONOS Cloud DNS

this tutorial will guide you through the process of setting up a tls certificate using acme sh and dns by following these steps, you will be able to secure your web server with a valid tls certificate issued by zerossl target audience this tutorial is intended to help both developers and technical decision makers what you will learn you will learn how to use acme sh with dns to obtain and install a tls certificate for your domain the tutorial covers configuring dns api credentials, issuing the certificate, and setting up automatic renewal for ongoing security before you begin you must have the following a domain name registered and managed by dns a primary zone with a start of authority (soa) record the soa record is essential as it indicates the domain's primary dns server, the domain administrator's email, the domain serial number, and several timers relating to refreshing the primary zone an acme sh installed on your system if not, you can install it by following the instructions on the acme sh github page https //github com/acmesh official/acme sh procedure install acme sh if you have not installed acme sh , you can do so using the following command curl https //get acme sh | sh add acme sh to your path if acme sh is not found, add it to your path add the following line to your shell configuration file example zshrc for zsh or bashrc for bash ```bash export path="$home/ acme sh $path" ``` after executing this command, reload your shell configuration for `bash` ```bash source / bashrc ``` for `zsh` ```bash source / zshrc ``` set up dns api credentials you need to set up your dns api credentials export the ionos token as an environment variable note replace token with your actual token for more information on managing authentication tokens, see token manager https //docs ionos com/cloud/set up ionos cloud/management/identity access management/token manager ```bash export ionos token="\<ionos cloud token>" ``` configure the dns api in acme sh configure acme sh to use the dns api ```bash acme sh set default ca server zerossl acme sh register account accountemail "your email\@example com" ``` replace your email\@example com with your registered email address while this tutorial uses zerossl as the default ca, acme sh supports other cas, such as let's encrypt you can change the ca by using the server option with the appropriate ca url for example, to use let's encrypt , you can set the server option as follows ```bash acme sh set default ca server letsencrypt ``` issue a certificate using acme sh use acme sh to issue a certificate for your domain note replace yourdomain com with your actual domain name ```bash acme sh issue dns dns ionos cloud d yourdomain com ``` install the certificate once the certificate is issued, you can install it using the following command note replace /path/to/your/private key and /path/to/your/fullchain pem with the actual paths where you want to store the certificate and key files ```bash acme sh install cert d yourdomain com \\ \ key file /path/to/your/private key \\ \ fullchain file /path/to/your/fullchain pem ``` configure your web server update your web server configuration to use the new certificate for example, if you are using nginx , update your configuration file as follows note replace /path/to/your/private key and /path/to/your/fullchain pem with the actual paths where you want to store the certificate and key files ```bash server { listen 443 ssl; server name yourdomain com; ssl certificate /path/to/your/fullchain pem; ssl certificate key /path/to/your/private key; } ``` restart your web server restart your web server to apply the changes for nginx, use ```bash sudo systemctl restart nginx ``` verify the certificate open a web browser and navigate to https //yourdomain com to verify that the certificate is correctly installed and the connection is secure automatic renewal the certificate will be automatically renewed by acme sh every 60 days however, you can also force to renew a cert ```bash acme sh renew d yourdomain com force ``` or, for ecc cert ```bash acme sh renew d yourdomain com force ecc ``` final result your web server will be secured with a valid tls certificate issued by zerossl and managed via dns you can confirm the certificate is active by visiting your domain in a browser and checking for a secure https connection your certificate will renew automatically, ensuring ongoing security with minimal maintenance conclusion you have successfully set up a tls certificate using acme sh and dns this ensures that your web server is secure and your data is protected for more information, refer to the acme sh documentation https //github com/acmesh official/acme sh and the dns api https //api ionos com/docs/dns/v1/