# install and configure acme.sh

## install

install `socat`:
```
apt install socat
```
clone git:
```
git clone https://github.com/acmesh-official/acme.sh.git
```
install `acme.sh`:
```
cd acme.sh
./acme.sh --install --home /usr/local/lib/acme-sh --config-home /etc/acme-sh --accountemail  "my@example.com"
```
logout and log back in to make aliases take effect:
```
exit
sudo -i
```

## issue

if you haven't configured haproxy to issue certs with no downtime, you will have to stop and start it. To issue a certificate, run:
```
acme.sh --issue ${protocol:?} --pre-hook "systemctl stop haproxy" --post-hook "systemctl start haproxy" -d ${domain:?}
```
where `protocol` is `--standalone` if you want to use port 80, or `--alpn` if you want to use port 443.

## deploy

once the certificate has been successfully issued, we still have to deploy it to our server. First, make sure the certs path exists, and then set the appropriate variables to tell `acme.sh` where to deploy certificates and deploy the certificates:
```
mkdir -p /etc/haproxy/certs
DEPLOY_HAPROXY_PEM_PATH=/etc/haproxy/certs DEPLOY_HAPROXY_RELOAD="/usr/sbin/service haproxy reload" \
  acme.sh --deploy --deploy-hook haproxy -d ${domain:?}
```
acme.sh should automatically configure reneweal of certificates and deployment of renewed certificates.

## no downtime config

see https://github.com/acmesh-official/acme.sh/wiki/TLS-ALPN-without-downtime