Acme.sh

Nginx

Install acme.sh

curl  https://get.acme.sh | sh -s email=<your@email.com>

Restart terminal, then set env for acme.sh

# Use global key
export CF_Key="<you-cf-global-key>"
export CF_Email="<your@email.com>"
 
# Use dns key
## Single domain zone
### You can find it at domain zone overview page
export CF_Zone_ID="<you-cf-domain-zone-id>"
## All domain zone
### You can find it at any zone overview page
export CF_Account_ID="<you-cf-domain-zone-id>"
## DNS token
export CF_Token="<you-cf-dns-token>"
 
# Register account
acme.sh --register-account -m <your@email.com>

Get ssl cert

mkdir -p /etc/nginx/ssl
 
acme.sh --set-default-ca --server zerossl
 
acme.sh --issue -d "your-domain.com" --dns dns_cf \
    --key-file       /etc/nginx/ssl/your-domain.com.key  \
    --fullchain-file /etc/nginx/ssl/your-domain.com.pem \
    --reloadcmd "systemctl reload nginx"
 
acme.sh --upgrade --auto-upgrade

Nginx config

server {
    listen                  443 ssl http2;
    listen                  [::]:443 ssl http2;
    server_name             your-domain.com;
    root                    /data/www;
 
    ssl_certificate         /etc/nginx/ssl/your-domain.com.pem;
    ssl_certificate_key     /etc/nginx/ssl/your-domain.com.key;
 
    charset utf-8,gbk;
    index index.html index.htm;
}
 
server {
    listen      80;
    listen      [::]:80;
    server_name your-domain.com;
 
    location / {
        return 301 https://your-domain.com$request_uri;
    }
}

Acme.sh for PVE

acme.sh --issue -d "your-domain.com" --dns dns_cf \
    --key-file       /etc/pve/local/pveproxy-ssl.key  \
    --fullchain-file /etc/pve/local/pveproxy-ssl.pem \
    --reloadcmd "systemctl reload pveproxy"
 
acme.sh --upgrade --auto-upgrade