From ArchWiki is an ACME client written purely in shell script. It implements the full ACME protocol and supports, for example, IPv6 and wildcard certificates.


Install the package, and socat if you want to use the standalone mode.


The package does not provide man pages, but a wiki for usage. Executing --help outputs a long list of commands and parameters.

There are three basic steps involved:

  1. Requesting a certificate to be issued.
  2. Installing the issued certificate, to make it useful.
  3. Maintaining the certificate over time.

as covered with below examples.

Issuing a new cert

You can specify any domain with the -d option.

Tip: You might want to specify LetsEncrypt as your default CA, as uses ZeroSSL as its default CA effective from August 1st, 2021.

The script support different modes. Examples for modes and options to be specified are:

  • Webroot mode:
$ --issue -d -d -d -d '*' -w /home/wwwroot/
  • Standalone mode, by adding --standalone if no web server is running (requires socat installed):
$ --issue --standalone -d -d -d
  • Nginx mode:
$ --issue --nginx -d -d -d
$ --issue -d -d '*' --dns dns_he

The project's wiki lists more examples.

Install the cert to Apache/Nginx etc


$ --install-cert -d --key-file '/path/to/keyfile/in/nginx/example.key' --fullchain-file '/path/to/fullchain/nginx/example.cer' --reloadcmd "systemctl force-reload nginx"


$ --install-cert -d --cert-file '/path/to/certfile/in/apache/example.cer' --key-file '/path/to/keyfile/in/apache/example.key' --fullchain-file '/path/to/fullchain/certfile/apache/example.fullchain.cer' --reloadcmd "systemctl force-reload nginx apache2"

Maintaining a cert

The certs will be renewed every 60 days. To run regularly, a systemd timer may be set up.

See also

  • Project homepage and wiki for its documentation.
  • acme-tiny offers several related utilities, as well as additional general ACME documentation.
  • lacme is a small ACME client written with process isolation and minimal privileges in mind.