ACME v2, wildcard certificates, and Cloudflare DNS

Now that ACME v2 is released and supports wildcard certificates I just had to update my configuration and thought I would share it here.

I also took the opportunity to switch to a dns-01 based verification since its easier to maintain and there is no need expose a webserver/www-root to the internet. I currently host my domain with Cloudflare, and since acme.sh has built in support for the Cloudflare API it was an easy choice.

This makes it very easy to automate and since its dns based it can run anywhere, even on your raspberry pi running in a closet at home if wanted (thought not recommended for obvious reasons).

Thought I would share my final solution, running acme.sh, nginx and systemd:

/etc/systemd/system/acme_letsencrypt.service:

[Unit]
Description=Renew Let's Encrypt certificates using acme.sh
After=network-online.target

[Service]
Type=oneshot
# Directory where the acme.sh script resides.
Environment="HOME=/root/.acme.sh"
Environment="CF_Email=EMAIL"
Environment="CF_Key=APIKEY"
ExecStart=/root/.acme.sh/acme.sh --issue --dns dns_cf -d example.com -d *.example.com --keylength ec-256 --key-file /etc/nginx/ssl/example.com-key.pem --fullchain-file /etc/nginx/ssl/example.com-cert.pem --reloadcmd "systemctl force-reload nginx"
# acme.sh returns 2 when renewal is skipped (i.e. certs up to date)
SuccessExitStatus=0 2

/etc/systemd/system/acme_letsencrypt.timer:

[Unit]
Description=Daily renewal of Let's Encrypt's certificates

[Timer]
OnCalendar=daily
RandomizedDelaySec=1h
Persistent=true

[Install]
WantedBy=timers.target

test that the service works and enable timer:

systemctl daemon-reload
systemctl start acme_letsencrypt --now
systemctl enable acme_letsencrypt.timer

and thats it, I can now leave it and add all the subdomains I want in nginx without the need to reconfigure anything ever again.