# install and configure acme.sh

## install

install `socat`:
```
apt search socat
```
clone git:
```
git clone https://github.com/acmesh-official/acme.sh.git
```
install `acme.sh`:
```
cd acme.sh
./acme.sh --install --home /usr/local/lib/acme-sh --config-home /etc/acme-sh --accountemail  "my@example.com"
```
logout and log back in to make aliases take effect:
```
exit
sudo -i
```

## issue

if you haven't configured haproxy to issue certs with no downtime, you will have to stop and start it. To issue a certificate, run:
```
acme.sh --issue ${protocol:?} --pre-hook "systemctl stop haproxy" --post-hook "systemctl start haproxy" -d ${domain:?}
```
where `protocol` is `--standalone` if you want to use port 80, or `--alpn` if you want to use port 443.

## deploy

once the certificate has been successfully issued, we still have to deploy it to our server. First, make sure the certs path exists, and set the appropriate variables to tell `acme.sh` where to deploy certificates:
```
mkdir -p /etc/haproxy/certs
export DEPLOY_HAPROXY_PEM_PATH=/etc/haproxy/certs
export DEPLOY_HAPROXY_RELOAD="/usr/sbin/service haproxy reload"
```
finally, deploy the certificate with:
```
acme.sh --deploy -d --deploy-hook haproxy -d ${domain:?}
```
acme.sh should automatically configure reneweal of certificates and deployment of renewed certificates.

## no downtime config

see https://github.com/acmesh-official/acme.sh/wiki/TLS-ALPN-without-downtime