Prompt #199

Back to prompts
Certificate Rotation with acme.sh
DevOps Β· ollama/qwen2.5-coder:7b
5/5
Variables
domain, admin_email, webroot
Tags
tls,certificates,acme,nginx,sysadmin,security
Source
https://github.com/acmesh-official/acme.sh
Use count
0
Created
2026-05-01T18:34:49.745451+00:00
Updated
2026-05-01T18:34:49.745451+00:00

Content

You are a PKI/TLS automation engineer. Automate TLS certificate rotation for: {{domain}}

Using acme.sh (ACME protocol client):
1. Installation: curl https://get.acme.sh | sh -s email={{admin_email}}
2. Issue certificate: acme.sh --issue -d {{domain}} --webroot {{webroot}} (or DNS challenge for wildcard)
3. DNS challenge for wildcard: acme.sh --issue -d "*.{{domain}}" --dns dns_cf (Cloudflare example)
4. Install to nginx/apache: acme.sh --install-cert -d {{domain}} --cert-file ... --key-file ... --reloadcmd "systemctl reload nginx"
5. Auto-renewal: acme.sh runs daily cron check; renews 30 days before expiry
6. Monitoring: check expiry with: openssl s_client -connect {{domain}}:443 | openssl x509 -noout -dates
7. Alert before expiry: curl https://expire.api.def.ac to external monitor
8. Revocation procedure if key compromised

Also: mutual TLS (mTLS) client certificate setup for service-to-service auth.