wiki.TerraBase.info

LetsEncrypt with ACME on OpenWRT: Difference between revisions

← Older edit
VisualWikitext
mNo edit summary
 
(8 intermediate revisions by the same user not shown)
Line 2: Line 2:
ACME is a [[wikipedia:Let's_Encrypt|Let'sEncrypt]] Client implementation for OpenWRT.  It will request and store SSL / HTTPS Certificates for various purposes.  It can be utilized by Apache, NGinx, UHTTPD, etc. on OpenWRT.
ACME is a [[wikipedia:Let's_Encrypt|Let'sEncrypt]] Client implementation for OpenWRT.  It will request and store SSL / HTTPS Certificates for various purposes.  It can be utilized by Apache, NGinx, UHTTPD, etc. on OpenWRT.


===Installation (of basic files)===
===Choices===
As with everything in the world, there are choices.  This article describes two different ways to install the acme.sh script.  One, the "Easy Way".  Two, the longer OpenWRT way.
 
===Quick S===
 
*UPGRADE Acme Scripts: As of 2022, the Acme Package from OpenWRT is broken / old / whatever (version 2.85), so upgrade to 3 or later (be sure to set permissions: chmod 755 acme.sh)
*Certificates Installed (show): /usr/lib/acme/acme.sh --list
*Cron Command for Certificate Renewal: "/usr/lib/acme"/acme.sh --cron --home "/usr/lib/acme" --config-home "/etc/acme/config" > /dev/null
*Issuing a certficate (acme.sh --issue PlusOtherCommandSwitches-seeBelow), will store it here: /etc/etc/certs (certificates and configuration files for use in renewing certs)
*DNS Method: Really only works well if the Master Zone is on the same server that the Acme.sh Script is running on, otherwise use web method
 
===The Easy Way of Installing ''acme.sh''===
 
*Just to stay within the world of OpenWRT go ahead and install acme.sh the usual way: opkg updat<nowiki/>e, opkg install acme acme-dnsapi luci-app-acme (2.8.5 is the latest OpenWRT version)
*Download the latest version of the script from here: https://github.com/acmesh-official/acme.sh<nowiki/>(3.0.1 as of the writing of this article)
*Rename the /usr/lib/acme/acme directory to ...acme.ORIGINAL (or whatever name)
*Extract the contents of the download to /usr/lib/acme.install (version 3.0.1 or a more recent one)
*Create these directories (if they don't exist): /etc/acme/certs and /etc/acme/config (they can be anywhere, but following the OpenWRT paradigm, this is where they'd naturally seem to go)
*Run the following command from within the /usr/lib/acme.install directory (but first make sure the permissions on the acme.sh file are 755 ( chmod 755 acme.sh );
<syntaxhighlight lang="text">
./acme.sh --install --home /usr/lib/acme --cert-home /etc/acme/certs --config-home /etc/acme/config --accountemail YourEmail@YourProvider.com --accountkey /etc/acme/account --useragent "" --log /var/log/acme.log
</syntaxhighlight><syntaxhighlight lang="text">
...something similar to the below should be the result;
 
Installing to /usr/lib/acme
Installed to /usr/lib/acme/acme.sh
No profile is found, you will need to go into /usr/lib/acme to use acme.sh
Installing cron job
Good, bash is found, so change the shebang to use bash as preferred.
OK
</syntaxhighlight>The above command does the following;
 
*Creates the /usr/lib/acme Directory
*Copies all the script files to the above Directory
*Creates and "Environment File" ( acme.sh.env ) that contains the following lines;
**export LE_WORKING_DIR="/usr/lib/acme"
**export LE_CONFIG_HOME="/etc/acme/config"
**alias acme.sh="/usr/lib/acme/acme.sh --config-home '/etc/acme/config'"
*The "No profile is found..." message indicates that one must run the acme.sh file from within it's directory, IE: ./usr/lib/acme/acme.sh, because the environment file is there instead of being included in the current user's profile (which can be added of course, see below)
*Add the following to the /etc/profile file if desired (it will make is so the 'command' acme.sh can be run from anywhere, instead of using the entire path (./usr/lib/acme/acme.sh);
<syntaxhighlight lang="text">
export LE_WORKING_DIR="/usr/lib/acme"
export LE_CONFIG_HOME="/etc/acme/config"
alias acme.sh="/usr/lib/acme/acme.sh --config-home '/etc/acme/config'"
</syntaxhighlight>
 
 
...all done.  Using the ''acme.sh'' 'command' (actually a script) will now work like any other command within OpenWRT.
 
===Installation (of basic files) the OpenWRT way (Don't do it this way, do it the above 'easy way')===
...this is just here for some detailed notes to let you know what's going on with where all the ACME stuff is located.
 
opkg update
opkg update


Line 9: Line 60:
Notes: The LuCI GUI is next to useless.  It is an incomplete effort that isn't helpful.  But thanks for trying.  The ''run-acme'' script file included in the above installed packages appears to be used by the LuCI GUI as a 'wrapper' to make specific calls to the Acme.sh script.  As of the writing of this, there appears to be no useful function of the ''acme service'' for OpenWRT.
Notes: The LuCI GUI is next to useless.  It is an incomplete effort that isn't helpful.  But thanks for trying.  The ''run-acme'' script file included in the above installed packages appears to be used by the LuCI GUI as a 'wrapper' to make specific calls to the Acme.sh script.  As of the writing of this, there appears to be no useful function of the ''acme service'' for OpenWRT.


===Configuration (and more "installation")===
=== Quick Word on LE_CONFIG_HOME and LE_WORKING_DIR ===
If not explicitly defined as a BASH variable, LE_CONFIG_HOME will 'revert' to: /WhatEverUserName/.acme.sh (Example: /root/.acme.sh) AND NOTICE the period in front of .acme.sh and that it is a Directory
 
Temporary: export LE_CONFIG_HOME="/WhatEverOtherDirectory/WhatEverSubDirectory/Etc"
 
Permanent:
 
===Configuration (and more "installation") the OpenWRT way===
Yes, the files have been installed, but according to the [https://github.com/acmesh-official/acme.sh/wiki/How-to-install Acme.sh Documentation], one still needs to install it.  The first part of the instructions on their site are completed by the OpenWRT OPKG utility.  From there, only the ./acme.sh --install needs to be run (see below).
Yes, the files have been installed, but according to the [https://github.com/acmesh-official/acme.sh/wiki/How-to-install Acme.sh Documentation], one still needs to install it.  The first part of the instructions on their site are completed by the OpenWRT OPKG utility.  From there, only the ./acme.sh --install needs to be run (see below).


Line 20: Line 78:
*cp /usr/lib/acme.OPKG/run-acme /usr/lib/acme/ - Copy the OpenWRT proprietary run-acme file to it's original directory and path so the LuCI GUI can access it.
*cp /usr/lib/acme.OPKG/run-acme /usr/lib/acme/ - Copy the OpenWRT proprietary run-acme file to it's original directory and path so the LuCI GUI can access it.


Keep in mind when updating the Acme package(s) via OPKG, the acme.sh, run-acme, and dnsapi directory will be over written.  But that's fine as the acme.sh.env file should be left in place.
Keep in mind when updating the Acme package(s) via OPKG, the acme.sh, run-acme, and dnsapi directory will be over written.  But that's fine as the acme.sh.env file should be left in place. Run the below script from the above Moved / Named directory;


<syntaxhighlight lang="text">
<syntaxhighlight lang="text">
./usr/lib/acme.OPKG/acme.sh --install --home /usr/lib/acme --cert-home /etc/acme/certs --config-home /etc/acme/config --accountemail YourEmail@YourProvider.com --accountkey /etc/acme/account --useragent "" --log /var/log/acme.log
.acme.sh --install --home /usr/lib/acme --cert-home /etc/acme/certs --config-home /etc/acme/config --accountemail YourEmail@YourProvider.com --accountkey /etc/acme/account --useragent "" --log /var/log/acme.log
</syntaxhighlight>In the above command(s), the switches / settings / parameters are defined as follows;
</syntaxhighlight>In the above command(s), the switches / settings / parameters are defined as follows;


Line 30: Line 88:
*--cert-home: The default directory where the original copy of the certificate, key file, chain information, etc. will be stored.  As with the certificate request configuration, this can be set with each certificate requested to a unique / different directory.  This setting in the LuCI GUI is defined as State directory.
*--cert-home: The default directory where the original copy of the certificate, key file, chain information, etc. will be stored.  As with the certificate request configuration, this can be set with each certificate requested to a unique / different directory.  This setting in the LuCI GUI is defined as State directory.
*--accountemail: An email address to receive notifications from Let's Encrypt about certificate updates, etc. and to configure account settings.  Yup, Acme.sh, Certbot, etc. all set up accounts.  Let's Encrypt information about accounts: https://letsencrypt.org/docs/account-id/ This setting in the LuCI GUI is defined as Account email.
*--accountemail: An email address to receive notifications from Let's Encrypt about certificate updates, etc. and to configure account settings.  Yup, Acme.sh, Certbot, etc. all set up accounts.  Let's Encrypt information about accounts: https://letsencrypt.org/docs/account-id/ This setting in the LuCI GUI is defined as Account email.
*--accountkey: Path to store account information
*--accountkey: Path to store account information.  This defaults to the same value as --config-home.
*--useragent: Acme.sh gives a useless circular definition for this parameter.  Certbot's equivalent paramter is --user-agent, and is defined as follows: Set a custom user agent string for the client. User agent strings allow the CA to collect high level statistics about success rates by OS, plugin and use case, and to know when to deprecate support for past Python versions and flags. If you wish to hide this information from the Let's Encrypt server, set this to "". (default: CertbotACMEClient/1.4.0 (certbot; CentOS Linux 7 (Core)) Authenticator/XXX Installer/YYY (SUBCOMMAND; flags: FLAGS) Py/2.7.5).
*--useragent: Acme.sh gives a useless circular definition for this parameter.  Certbot's equivalent paramter is --user-agent, and is defined as follows: Set a custom user agent string for the client. User agent strings allow the CA to collect high level statistics about success rates by OS, plugin and use case, and to know when to deprecate support for past Python versions and flags. If you wish to hide this information from the Let's Encrypt server, set this to "". (default: CertbotACMEClient/1.4.0 (certbot; CentOS Linux 7 (Core)) Authenticator/XXX Installer/YYY (SUBCOMMAND; flags: FLAGS) Py/2.7.5).
*--log: The path to the log file.  Useful, just in case something goes wrong, and put in a typical OpenWRT location for log files (remember the /var directory is a soft link to the /tmp directory, so information and log files stored there will not persist across reboots of a router.
*--log: The path to the log file.  Useful, just in case something goes wrong, and put in a typical OpenWRT location for log files (remember the /var directory is a soft link to the /tmp directory, so information and log files stored there will not persist across reboots of a router.
Line 45: Line 103:
export LE_CONFIG_HOME="/etc/acme/config"
export LE_CONFIG_HOME="/etc/acme/config"
alias acme.sh="/usr/lib/acme/acme.sh --config-home '/etc/acme/config'"
alias acme.sh="/usr/lib/acme/acme.sh --config-home '/etc/acme/config'"
</syntaxhighlight><br />
</syntaxhighlight>The above information will need to be added as environment variables.  In OpenWRT the file used for all profiles is /etc/profiles.  By default, there's one Administrator User for OpenWRT and that's ''root''.  One could also modify the environment variables for just the root user in the root user's proflile.  Either way, add the above lines to the file (in whatever scenario is chosen).  Then log out and log back in.  The acme.sh script should be available system wide for commands.<br />
===Functionality===
===Functionality===
Based on the script files, it appears the "ACME Service" can be triggered by CRON or a Start or Restart of the service.
Based on the script files, it appears the "ACME Service" can be triggered by CRON or a Start or Restart of the service.
Line 72: Line 130:
====Examples====
====Examples====


*'''Good Example for 'covering all the bases' to explicitly state which directories are for what''': "/usr/lib/acme"/acme.sh --cron --home "/usr/lib/acme" --accountconf "/etc/acme/config/account.conf" --config-home "/etc/acme/config" --cert-home "/etc/acme/config/certs"
*/usr/lib/acme/acme.sh --revoke --domain WhatEverDomainName.xyz
*/usr/lib/acme/acme.sh --revoke --domain WhatEverDomainName.xyz
*/usr/lib/acme/acme.sh --info
**If environment variables are set as noted above (and below), it simply prints the contents of /etc/acme/config/account.conf
***export LE_WORKING_DIR="/usr/lib/acme"
***export LE_CONFIG_HOME="/etc/acme/config"
*/usr/lib/acme/acme.sh --list
*/usr/lib/acme/acme.sh --list
*/usr/lib/acme/acme.sh --issue --webroot /usr/share/apache2/htdocs --domain WhatEverDomainName.xyz --home /etc/acme --cert-home /etc/acme/certs --config-home /etc/acme/config
*/usr/lib/acme/acme.sh --issue --webroot /usr/share/apache2/htdocs --domain WhatEverDomainName.xyz --home /etc/acme --cert-home /etc/acme/certs --config-home /etc/acme/config
*Subject Alternative Names can be used too (IE, more than one Domain Name can be associated with a certificate):
**/usr/lib/acme/acme.sh --issue --webroot /usr/share/apache2/htdocs --domain WhatEverDomainName.xyz,WhatEverOtherDomainName.xyz,Another.xyz,AndSoOn.xyz --home /etc/acme --cert-home /etc/acme/certs --config-home /etc/acme/config
**/usr/lib/acme/acme.sh --issue --webroot /usr/share/apache2/htdocs --domain WhatEverDomainName.xyz --domain WhatEverOtherDomainName.xyz --domain Another.xyz --domain AndSoOn.xyz --home /etc/acme --cert-home /etc/acme/certs --config-home /etc/acme/config
*


===Certbot Comparisons===
===Certbot Comparisons===
Line 83: Line 150:
*Get a Certificate
*Get a Certificate
**Acme.sh --issue
**Acme.sh --issue
**Certbot: certonly (no double dashes)
**Certbot certonly (no double dashes)
*Obtaining a Certificate via DNS
*Obtaining a Certificate via DNS
**Acme.sh --issue --dns dns_nsupdate --domain WhatEverDomain
**Acme.sh --issue --dns dns_nsupdate --domain WhatEverDomain
**Certbot: certonly --dns-rfc2136 --dns-rfc2136-credentials WhatEverCredentialFile -d WhatEverDomain
**Certbot certonly --dns-rfc2136 --dns-rfc2136-credentials WhatEverCredentialFile -d WhatEverDomain
*Closest equivalent to --dry-run Switch with Certbot
**acme.sh --issue -w /usr/share/apache2/htdocs/WhatEverDirectory/WhatEverSubdirectory/ -d WhatEverHostName.WhatEverDomainName.com --staging


===Using DNS (BIND / Named) to Obtain a Certificate (with a Certbot comparison thrown in)===
===Using DNS (BIND / Named) to Obtain a Certificate (with a Certbot comparison thrown in)===
All of the below assume you are running your own fully functional BIND / Named server.


====BIND / Named Stuff to do====
====BIND / Named Stuff to do====
First generate a "user name / password" (AKA ''[https://linux.die.net/man/8/dnssec-keygen nametype]''and ''[https://linux.die.net/man/8/dnssec-keygen key]'')
First generate a "user name / password" (AKA ''[https://linux.die.net/man/8/dnssec-keygen nametype]''and ''[https://linux.die.net/man/8/dnssec-keygen key]'')


*Acme.sh: dnssec-keygen -a hmac-sha512 -b 512 -n USER
*Acme.sh: dnssec-keygen -a hmac-sha512 -b 512 -n USER WhatEverFileOrKeyName (Thankfully, OpenWRT's dnssec-keygen cannot create SHA512 keys, so you'll need access to another Linux System like CentOS to generate the key file)
*Certbot:
**Example: dnssec-keygen -a hmac-sha512 -b 512 -n USER ACME
*Look for a .key and .private file in the directory the dnssec-keygen command was run in.
*Copy the files to the bind / named directory, for OpenWRT it is /etc/bind OR be in that directory when the dnssec-keygen command is run
*From the WhatEverName.private file, copy the information after the Key: line, IE Key: aBunchOfNumbersAndLetters (without copying Key:)
*Add this information to the /etc/bind/named.conf file (default file location for many flavors of Linux)
<syntaxhighlight lang="text">
key "acme" {
      algorithm hmac-sha512;
      secret "WhatEverTheStringOfTextIsInThePrivateFile";
};
</syntaxhighlight>
 
*Add this information to the specific zone that will be updated (If the below allow-update directive is in place and has an existing key, just add the additional key line);
<syntaxhighlight lang="text">
zone "WhatEverZoneName.comORorgORnet" {
 
type master;
allow-update {
key acme;
};
 
  file "/etc/bind/masters/WhatEverZoneName.comORorgORnet";
};
</syntaxhighlight>


====Acme.sh Stuff to do====
====Acme.sh Stuff to do====
Line 835: Line 928:
                         webroot-map = {"example.com":"/var/www"}. (default:
                         webroot-map = {"example.com":"/var/www"}. (default:
                         {})
                         {})
</syntaxhighlight><syntaxhighlight lang="text">
v 3.08 (circa early 2024)
acme.sh <command> ... [parameters ...]
Commands:
  -h, --help              Show this help message.
  -v, --version            Show version info.
  --install                Install acme.sh to your system.
  --uninstall              Uninstall acme.sh, and uninstall the cron job.
  --upgrade                Upgrade acme.sh to the latest code from https://github.com/acmesh-official/acme.sh.
  --issue                  Issue a cert.
  --deploy                Deploy the cert to your server.
  -i, --install-cert      Install the issued cert to apache/nginx or any other server.
  -r, --renew              Renew a cert.
  --renew-all              Renew all the certs.
  --revoke                Revoke a cert.
  --remove                Remove the cert from list of certs known to acme.sh.
  --list                  List all the certs.
  --info                  Show the acme.sh configs, or the configs for a domain with [-d domain] parameter.
  --to-pkcs12              Export the certificate and key to a pfx file.
  --to-pkcs8              Convert to pkcs8 format.
  --sign-csr              Issue a cert from an existing csr.
  --show-csr              Show the content of a csr.
  -ccr, --create-csr      Create CSR, professional use.
  --create-domain-key      Create an domain private key, professional use.
  --update-account        Update account info.
  --register-account      Register account key.
  --deactivate-account    Deactivate the account.
  --create-account-key    Create an account private key, professional use.
  --install-cronjob        Install the cron job to renew certs, you don't need to call this. The 'install' command can automatically install the cron job.
  --uninstall-cronjob      Uninstall the cron job. The 'uninstall' command can do this automatically.
  --cron                  Run cron job to renew all the certs.
  --set-notify            Set the cron notification hook, level or mode.
  --deactivate            Deactivate the domain authz, professional use.
  --set-default-ca        Used with '--server', Set the default CA to use.
                          See: https://github.com/acmesh-official/acme.sh/wiki/Server
  --set-default-chain      Set the default preferred chain for a CA.
                          See: https://github.com/acmesh-official/acme.sh/wiki/Preferred-Chain
Parameters:
  -d, --domain <domain.tld>        Specifies a domain, used to issue, renew or revoke etc.
  --challenge-alias <domain.tld>    The challenge domain alias for DNS alias mode.
                                      See: https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode
  --domain-alias <domain.tld>      The domain alias for DNS alias mode.
                                      See: https://github.com/acmesh-official/acme.sh/wiki/DNS-alias-mode
  --preferred-chain <chain>        If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.
                                      If no match, the default offered chain will be used. (default: empty)
                                      See: https://github.com/acmesh-official/acme.sh/wiki/Preferred-Chain
  --valid-to    <date-time>        Request the NotAfter field of the cert.
                                      See: https://github.com/acmesh-official/acme.sh/wiki/Validity
  --valid-from  <date-time>        Request the NotBefore field of the cert.
                                      See: https://github.com/acmesh-official/acme.sh/wiki/Validity
  -f, --force                      Force install, force cert renewal or override sudo restrictions.
  --staging, --test                Use staging server, for testing.
  --debug [0|1|2|3]                Output debug info. Defaults to 2 if argument is omitted.
  --output-insecure                Output all the sensitive messages.
                                      By default all the credentials/sensitive messages are hidden from the output/debug/log for security.
  -w, --webroot <directory>        Specifies the web root folder for web root mode.
  --standalone                      Use standalone mode.
  --alpn                            Use standalone alpn mode.
  --stateless                      Use stateless mode.
                                      See: https://github.com/acmesh-official/acme.sh/wiki/Stateless-Mode
  --apache                          Use apache mode.
  --dns [dns_hook]                  Use dns manual mode or dns api. Defaults to manual mode when argument is omitted.
                                      See: https://github.com/acmesh-official/acme.sh/wiki/dnsapi
  --dnssleep <seconds>              The time in seconds to wait for all the txt records to propagate in dns api mode.
                                      It's not necessary to use this by default, acme.sh polls dns status by DOH automatically.
  -k, --keylength <bits>            Specifies the domain key length: 2048, 3072, 4096, 8192 or ec-256, ec-384, ec-521.
  -ak, --accountkeylength <bits>    Specifies the account key length: 2048, 3072, 4096
  --log [file]                      Specifies the log file. Defaults to "/etc/acme/config/acme.sh.log" if argument is omitted.
  --log-level <1|2>                Specifies the log level, default is 2.
  --syslog <0|3|6|7>                Syslog level, 0: disable syslog, 3: error, 6: info, 7: debug.
  --eab-kid <eab_key_id>            Key Identifier for External Account Binding.
  --eab-hmac-key <eab_hmac_key>    HMAC key for External Account Binding.
  These parameters are to install the cert to nginx/apache or any other server after issue/renew a cert:
  --cert-file <file>                Path to copy the cert file to after issue/renew.
  --key-file <file>                Path to copy the key file to after issue/renew.
  --ca-file <file>                  Path to copy the intermediate cert file to after issue/renew.
  --fullchain-file <file>          Path to copy the fullchain cert file to after issue/renew.
  --reloadcmd <command>            Command to execute after issue/renew to reload the server.
  --server <server_uri>            ACME Directory Resource URI. (default: https://acme.zerossl.com/v2/DV90)
                                      See: https://github.com/acmesh-official/acme.sh/wiki/Server
  --accountconf <file>              Specifies a customized account config file.
  --home <directory>                Specifies the home dir for acme.sh.
  --cert-home <directory>          Specifies the home dir to save all the certs, only valid for '--install' command.
  --config-home <directory>        Specifies the home dir to save all the configurations.
  --useragent <string>              Specifies the user agent string. it will be saved for future use too.
  -m, --email <email>              Specifies the account email, only valid for the '--install' and '--update-account' command.
  --accountkey <file>              Specifies the account key path, only valid for the '--install' command.
  --days <ndays>                    Specifies the days to renew the cert when using '--issue' command. The default value is 60 days.
  --httpport <port>                Specifies the standalone listening port. Only valid if the server is behind a reverse proxy or load balancer.
  --tlsport <port>                  Specifies the standalone tls listening port. Only valid if the server is behind a reverse proxy or load balancer.
  --local-address <ip>              Specifies the standalone/tls server listening address, in case you have multiple ip addresses.
  --listraw                        Only used for '--list' command, list the certs in raw format.
  -se, --stop-renew-on-error        Only valid for '--renew-all' command. Stop if one cert has error in renewal.
  --insecure                        Do not check the server certificate, in some devices, the api server's certificate may not be trusted.
  --ca-bundle <file>                Specifies the path to the CA certificate bundle to verify api server's certificate.
  --ca-path <directory>            Specifies directory containing CA certificates in PEM format, used by wget or curl.
  --no-cron                        Only valid for '--install' command, which means: do not install the default cron job.
                                      In this case, the certs will not be renewed automatically.
  --no-profile                      Only valid for '--install' command, which means: do not install aliases to user profile.
  --no-color                        Do not output color text.
  --force-color                    Force output of color text. Useful for non-interactive use with the aha tool for HTML E-Mails.
  --ecc                            Specifies use of the ECC cert. Only valid for '--install-cert', '--renew', '--remove ', '--revoke',
                                      '--deploy', '--to-pkcs8', '--to-pkcs12' and '--create-csr'.
  --csr <file>                      Specifies the input csr.
  --pre-hook <command>              Command to be run before obtaining any certificates.
  --post-hook <command>            Command to be run after attempting to obtain/renew certificates. Runs regardless of whether obtain/renew succeeded or failed.
  --renew-hook <command>            Command to be run after each successfully renewed certificate.
  --deploy-hook <hookname>          The hook file to deploy cert
  --ocsp, --ocsp-must-staple        Generate OCSP-Must-Staple extension.
  --always-force-new-domain-key    Generate new domain key on renewal. Otherwise, the domain key is not changed by default.
  --auto-upgrade [0|1]              Valid for '--upgrade' command, indicating whether to upgrade automatically in future. Defaults to 1 if argument is omitted.
  --listen-v4                      Force standalone/tls server to listen at ipv4.
  --listen-v6                      Force standalone/tls server to listen at ipv6.
  --openssl-bin <file>              Specifies a custom openssl bin location.
  --use-wget                        Force to use wget, if you have both curl and wget installed.
  --yes-I-know-dns-manual-mode-enough-go-ahead-please  Force use of dns manual mode.
                                      See:  https://github.com/acmesh-official/acme.sh/wiki/dns-manual-mode
  -b, --branch <branch>            Only valid for '--upgrade' command, specifies the branch name to upgrade to.
  --notify-level <0|1|2|3>          Set the notification level:  Default value is 2.
                                      0: disabled, no notification will be sent.
                                      1: send notifications only when there is an error.
                                      2: send notifications when a cert is successfully renewed, or there is an error.
                                      3: send notifications when a cert is skipped, renewed, or error.
  --notify-mode <0|1>              Set notification mode. Default value is 0.
                                      0: Bulk mode. Send all the domain's notifications in one message(mail).
                                      1: Cert mode. Send a message for every single cert.
  --notify-hook <hookname>          Set the notify hook
  --notify-source <server name>    Set the server name in the notification message
  --revoke-reason <0-10>            The reason for revocation, can be used in conjunction with the '--revoke' command.
                                      See: https://github.com/acmesh-official/acme.sh/wiki/revokecert
  --password <password>            Add a password to exported pfx file. Use with --to-pkcs12.
</syntaxhighlight>
</syntaxhighlight>
Retrieved from "https://wiki.terrabase.info/wiki/LetsEncrypt_with_ACME_on_OpenWRT"