How do I use EuropeanSSL with acme.sh?

If not already done, install acme.sh on your Linux server using the following command.

curl https://get.acme.sh | sh

or, if curl is not available

wget -O -  https://get.acme.sh | sh

Use the following command to set EuropeanSSL as the default CA for all certificates retrieved via acme.sh:

acme.sh --set-default-ca --server https://acme.eunetic.net/dv

For certificates with company verification (OV), replace /dv with /ov.

Alternatively, if you also use other CAs, specify the --server parameter for each individual call. Please note that all further steps in these instructions assume that you have set EuropeanSSL as the default. If not, then append --server https://acme.eunetic.net/dv to every command documented from here on.

To use EuropeanSSL with the ACME protocol, you must first create an ACME account in the Eunetic customer interface. This will provide you with credentials for the so-called "External Account Binding" (EAB), consisting of a key (HMAC Key) and an associated user identification (Key ID). More details about EuropeanSSL ACME accounts can be found in the FAQ entry:

 What is a EuropeanSSL ACME account and how are SSL certificates billed?

Execute the following command to register your EuropeanSSL ACME account with the acme.sh client:

acme.sh --register-account 
  --eab-kid <EAB KEY ID> 
  --eab-hmac-key <EAB HMAC KEY> 
  -m ihre@email.de

Replace the <> placeholders with the values that are displayed via our customer interface with the “EAB access data” button. The specification of an email address via the -m parameter is optional; if desired, you will receive notifications about upcoming renewals or error messages.

In case you skipped the optional step 2, do not forget to append --server https://acme.eunetic.net/dv (or /ov) to the command above.

From now on, you can retrieve and install certificates for all domains configured in the ACME account. For example, the following command retrieves a simple single certificate for the domain "ihredomain.de":

acme.sh --issue -d example.com -w /usr/home/ihruser/public_html

The -w parameter specifies the web root directory linked to the domain. To issue the certificate, acme.sh must be able to create a validation file in this directory, which can be accessed through the domain. Therefore, make sure that your web server is configured accordingly and that the system user acme.sh is called with has write permissions in the specified directory.

In case you skipped the optional step 2, do not forget to append --server https://acme.eunetic.net/dv (or /ov) to the command above.

The certificates are valid for a maximum of 90 days and are automatically renewed every 60 days by acme.sh, until you remove the task with acme.sh --remove -d example.com or your ACME account expires.

Multiple domains can be combined into a single certificate by appending -d anotherexample.com to the command. Wildcard domains can also be captured with -d '*.example.com'. However, make sure that you have ordered all listed domains in the EuropeanSSL ACME account and enabled them for certificate requests.

If the certificates are to be automatically set up in Apache or NGINX, refer to the official documentation for all options and additional parameters.