Getssl

obtain free SSL certificates from letsencrypt ACME server Suitable for automating the process on remote servers.

From srvrco·Updated June 24, 2026·View on GitHub·

Obtain SSL certificates from the letsencrypt.org ACME server. Suitable for automating the process on remote servers. The project is written primarily in Shell, distributed under the GNU General Public License v3.0 license, first published in 2016. It has gained significant community traction with 2,224 stars and 388 forks on GitHub. Key topics include: acme, acme-server, certificate, ftp, getssl.

Latest release: v2.51— Release 2.51

June 24, 2026View Changelog →

getssl

Obtain SSL certificates from the letsencrypt.org ACME server. Suitable
for automating the process on remote servers.

Table of Contents

Upgrade broken in v2.43
Features
Overview
Quick Start Guide
Manual Installation
Getting started
Detailed guide to getting started with more examples
Wildcard certificates
ISPConfig
Automating updates
Structure
Custom template for configuration
Configuration Variables
Server-Types
Revoke a certificate
Elliptic curve keys
Preferred Chain
Include Root certificate in full chain
Windows Server and IIS Support
Issues / problems / help

Upgrade broken in v2.43

The automatic upgrade in v2.43 is broken as the url is incorrect. If you have this version installed you'll need to manually upgrade using:
curl --silent --user-agent getssl/manual https://raw.githubusercontent.com/srvrco/getssl/latest/getssl --output getssl

Features

Bash - It runs on virtually all unix machines, including BSD, most
Linux distributions, macOS.
Get certificates for remote servers - The tokens used to provide
validation of domain ownership, and the certificates themselves can be
automatically copied to remote servers (via ssh, sftp or ftp for
tokens). The script doesn't need to run on the server itself. This can
be useful if you don't have access to run such scripts on the server
itself, e.g. if it's a shared server.
Runs as a daily cron - so certificates will be automatically
renewed when required.
Automatic certificate renewals
Checks certificates are correctly loaded - After installation of a
new certificate it will test the port specified ( see
Server-Types for options ) that the certificate is
actually being used correctly.
Automatically updates - The script can automatically update itself
with bug fixes etc if required.
Extensively configurable - With a simple configuration file for
each certificate it is possible to configure it exactly for your
needs, whether a simple single domain or multiple domains across
multiple servers on the same certificate.
Supports http and dns challenges - Full ACME implementation
Simple and easy to use
Detailed debug info - Whilst it shouldn't be needed, detailed
debug information is available.
Reload services - After a new certificate is obtained then the
relevant services (e.g. apache/nginx/postfix) can be reloaded.
ACME v1 and V2 - Supports both ACME versions 1 and 2 (note ACMEv1 is deprecated and clients will automatically use v2)

Overview

GetSSL was written in standard bash ( so it can be run on a server, a
desktop computer, or even a virtualbox) and add the checks, and
certificates to a remote server ( providing you have a ssh with key,
sftp or ftp access to the remote server).

getssl
getssl ver. 2.36
Obtain SSL certificates from the letsencrypt.org ACME server

Usage: getssl [-h|--help] [-d|--debug] [-c|--create] [-f|--force] [-a|--all] [-q|--quiet] [-Q|--mute] [-u|--upgrade] [-X|--experimental tag] [-U|--nocheck] [-r|--revoke cert key] [-w working_dir] [--preferred-chain chain] domain   

Options:
  -a, --all          Check all certificates
  -d, --debug        Output debug information
  -c, --create       Create default config files
  -f, --force        Force renewal of cert (overrides expiry checks)
  -h, --help         Display this help message and exit
  -i, --install      Install certificates and reload service
  -q, --quiet        Quiet mode (only outputs on error, success of new cert, or getssl was upgraded)
  -Q, --mute         Like -q, but also mute notification about successful upgrade
  -r, --revoke   "cert" "key" [CA_server] Revoke a certificate (the cert and key are required)
  -u, --upgrade      Upgrade getssl if a more recent version is available - can be used with or without domain(s)
  -X  --experimental tag Allow upgrade to a specified version of getssl
  -U, --nocheck      Do not check if a more recent version is available
  -v  --version      Display current version of getssl
  -w working_dir "Working directory"
    --preferred-chain "chain" Use an alternate chain for the certificate

Quick Start Guide

You can download precompiled RPM packages and Debian (DEB) packages from
the release page for
this project, or you can manually build and install the program from the git sources.

If you want to manually install the program from scratch with the git sources rather than use the pre-compiled RPMS and DEB packages, or if your target platform does not support Linux RPM or DEB packages, then please skip to the section Manual Installation for instructions on installing the getssl program manually.

Packages are provided in binary and source versions, and can be downloaded and
installed directly or rebuilt. Package types are
Red Hat Package Manager (RPM) packages and Debian (DEB) packages for binary installation and
Source RPM packages (SRPMS) and Debbuild SDEB packages for source code installation.

RPM and DEB packages for each release include a binary architecture specific package
and a source package which can be downloaded and built/rebuilt and which contains the source code.

For example, the release v2.51 contains the following packages in the release section:

RPM Based Packages (RedHat, CentOS, SuSe, Oracle Linux, AWS Linux)

getssl-2.51-1.src.rpm (source)
getssl-2.51-1.noarch.rpm (binary)

Debian Based Packages (Debian, Ubuntu)

getssl_2.51-1_all.deb (binary)

Installing Binary Packages

To install the binary package with the rpm package manager for RedHat, CentOS, SuSe, Oracle Linux, or AWS Linux distributions:

sh
rpm -i getssl-2.51-1.noarch.rpm

To deinstall the RPM binary package:

sh
rpm -e getssl

To install the binary package with the Debian dpkg package manager for Debian and Ubuntu Linux distributions:

sh
dpkg -i getssl_2.51-1_all.deb

To deinstall the Debian dpkg binary package:

sh
dpkg -r getssl

Installing Source Packages

To install the source package with the rpm package manager for RedHat, CentOS, SuSe, Oracle Linux, or AWS Linux distributions:

sh
rpm -i getssl-2.51-1.src.rpm

(Note: rpm installs the source code files in /root/rpmbuild/ as top directory for RedHat, CentOS, Oracle Linux, and AWS Linux platforms. SuSe platforms install the source code files in /usr/src/packages/)

To install the source package with the Debbuild package tool for Debian or Ubuntu Linux distributions:

sh
debbuild -i getssl-2.51-1.sdeb

(Note: Debbuild installs the source code files in /root/debbuild/ as top directory)

One item of note is that SDEB packages are actually just tar.gz archives renamed with an .sdeb file extension with the files organized into a SPECS and SOURCES directory tree structure. Subsequently, an SDEB can also be extracted and installed with the tar -xvf command or the files listed with the tar -tvf command:

sh
[root@localhost getssl]$ tar -tvf /root/debbuild/SDEBS/getssl-2.51-1.sdeb 
-rw-r--r-- root/root   1772110 2022-10-12 20:42 SOURCES/getssl-2.51.tar.gz
-rw-r--r-- root/root       192 2022-08-02 15:02 SOURCES/getssl.crontab
-rw-r--r-- root/root       126 2022-08-02 15:02 SOURCES/getssl.logrotate
-rw-r--r-- root/root      1537 2022-08-02 15:02 SPECS/getssl.spec
[root@localhost getssl]$

For building or rebuilding RPMS or DEB Packages after you have installed the associated source packages on your platform, refer to the following:

Manual Installation

Since the script is only one file, you can use the following command for
a quick installation of GetSSL only:

sh
curl --silent https://raw.githubusercontent.com/srvrco/getssl/latest/getssl > getssl ; chmod 700 getssl

This will copy the getssl Bash script to the current location and change
the permissions to make it executable for you.

For a more comprehensive installation (e.g. install also helper scripts)
use the provided Makefile with each release tarball. Use the install
target.

If you install only the standalone getssl script to a location such as
/usr/local/bin/getssl, the helper scripts under dns_scripts/ and
other_scripts/ are not installed automatically. In that case, copy any
helper scripts you need to a suitable location yourself, for example:

sh
/usr/local/share/getssl/dns_scripts/

and reference that path in DNS_ADD_COMMAND / DNS_DEL_COMMAND.

If you install getssl from the provided RPM/DEB packages or via the
make install target, the helper scripts are installed alongside it under
/usr/share/getssl/dns_scripts/ and other_scripts/.

You'll find the latest version in the git repository:

sh
git clone https://github.com/srvrco/getssl.git

For Arch Linux there are packages in the AUR, see
here and
there.

If you use puppet, there is a GetSSL Puppet
module by dthielking

Getting started

Once you have obtained the script (see Installation above), the next step is to use

sh
./getssl -c yourdomain.com

where yourdomain.com is the primary domain name that you want to create
a certificate for. This will create the following folders and files.

sh
~/.getssl
~/.getssl/getssl.cfg
~/.getssl/yourdomain.com
~/.getssl/yourdomain.com/getssl.cfg

You can then edit ~/.getssl/getssl.cfg to set the values you want as the
default for the majority of your certificates.

Then edit ~/.getssl/yourdomain.com/getssl.cfg to have the values you
want for this specific domain (make sure to uncomment and specify
correct ACL option, since it is required).

You can then just run:

sh
getssl yourdomain.com

and it should run, providing output like:

sh
Registering account
Verify each domain
Verifying yourdomain.com
Verified yourdomain.com
Verifying www.yourdomain.com
Verified www.yourdomain.com
Verification completed, obtaining certificate.
Certificate saved in /home/user/.getssl/yourdomain.com/yourdomain.com.crt
The intermediate CA cert is in /home/user/.getssl/yourdomain.com/chain.crt
copying domain certificate to ssh:server5:/home/yourdomain/ssl/domain.crt
copying private key to ssh:server5:/home/yourdomain/ssl/domain.key
copying CA certificate to ssh:server5:/home/yourdomain/ssl/chain.crt
reloading SSL services

This will (by default) use the staging server, so should give you a
certificate that isn't trusted ( Fake Let's Encrypt).
Change the server in your config file to get a fully valid certificate.

Note: Verification is done via port 80 (http), port 443 (https) or
dns. The certificate can be used (and checked with getssl) on alternate
ports.

Detailed guide to getting started with more examples

Guide to getting a certificate for example.com and www.example.com

Wildcard certificates

getssl supports creating wildcard certificates, i.e. *.example.com which allows a single certificate to be used for any domain under example.com, e.g. www.example.com, mail.example.com. These must be validated using the dns-01 method.

A partial example getssl.cfg file is:

sh
VALIDATE_VIA_DNS=true
export CPANEL_USERNAME=''
export CPANEL_URL='https://www.cpanel.host:2083'
export CPANEL_APITOKEN='1ABC2DEF3GHI4JKL5MNO6PQR7STU8VWX9YZA'
DNS_ADD_COMMAND=/home/root/getssl/dns_scripts/dns_add_cpanel
DNS_DEL_COMMAND=/home/root/getssl/dns_scripts/dns_del_cpanel

PowerDNS

PowerDNS users can either use the existing MySQL helper scripts or the HTTP
API helper scripts in dns_scripts/PowerDNS-API-README.md.

If you installed only /usr/local/bin/getssl, remember to copy the helper
scripts to a local directory first, for example:

sh
install -d /usr/local/share/getssl/dns_scripts
install -m 755 dns_scripts/dns_add_pdns-api /usr/local/share/getssl/dns_scripts/
install -m 755 dns_scripts/dns_del_pdns-api /usr/local/share/getssl/dns_scripts/

and then reference them in your getssl.cfg:

sh
DNS_ADD_COMMAND="/usr/local/share/getssl/dns_scripts/dns_add_pdns-api"
DNS_DEL_COMMAND="/usr/local/share/getssl/dns_scripts/dns_del_pdns-api"

ISPConfig

There is a need to create a remote user in ISPConfig to enable the remote API access.

You need to go to System -> Remote Users and then enable the features for the remote user such as DNS zone functions.

PHP is required to exeucte soap functions in file ispconfig_soap.php.

sh
DNS_ADD_COMMAND="/home/root/getssl/dns_scripts/dns_add_ispconfig"
DNS_DEL_COMMAND="/home/root/getssl/dns_scripts/dns_del_ispconfig"

export ISPCONFIG_REMOTE_USER_NAME="ussename"
export ISPCONFIG_REMOTE_USER_PASSWORD="password"
export ISPCONFIG_SOAP_LOCATION="https://localhost:8080/remote/index.php"
export ISPCONFIG_SOAP_URL="https://localhost:8080/remote/"

Create the wildcard certificate (need to use quotes to prevent globbing):

sh
getssl "*.example.domain"

You can renew the certificate using getssl -a to renew all configured certificates.

You can also specify additional domains in the SANS line, e.g. SANS="www.test.example.com".
This cannot contain any of the domains which would be covered by the wildcard certificate.

Automating updates

I use the following cron job

cron
23  5 * * * /root/scripts/getssl -u -a -q

The cron will automatically update getssl and renew any certificates,
only giving output if there are issues / errors.

The -u flag updates getssl if there is a more recent version available.
The -a flag automatically renews any certificates that are due for renewal.
The -q flag is "quiet" so that it only outputs and emails me if there
was an error / issue.

Structure

The design aim was to provide flexibility in running the code. The
default working directory is ~/.getssl (which can be modified via the
command line).

Within the working directory is a config file getssl.cfg which is a
simple bash file containing variables, an example of which is:

sh
# Uncomment and modify any variables you need
# The staging server is best for testing (hence set as default)
CA="https://acme-staging-v02.api.letsencrypt.org"
# This server issues full certificates, however has rate limits
#CA="https://acme-v02.api.letsencrypt.org"

AGREEMENT="https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf"

# Set an email address associated with your account - generally set at account level rather than domain.
ACCOUNT_EMAIL="me@example.com"
ACCOUNT_KEY_LENGTH=4096
ACCOUNT_KEY="/home/user/.getssl/account.key"
PRIVATE_KEY_ALG="rsa"

# The time period within which you want to allow renewal of a certificate - this prevents hitting some of the rate limits.
RENEW_ALLOW="30"

# openssl config file.  The default should work in most cases.
SSLCONF="/usr/lib/ssl/openssl.cnf"

then, within the working directory there will be a folder for each
certificate (based on its domain name). Within that folder will be a
config file (again called getssl.cfg). An example of which is:

sh
# Uncomment and modify any variables you need
# see https://github.com/srvrco/getssl/wiki/Config-variables for details
# see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs
#
# The staging server is best for testing
#CA="https://acme-staging-v02.api.letsencrypt.org"
# This server issues full certificates, however has rate limits
#CA="https://acme-v02.api.letsencrypt.org"

#AGREEMENT="https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"

PRIVATE_KEY_ALG="rsa"

# Additional domains - this could be multiple domains / subdomains in a comma separated list
SANS="www.example.org"

# Acme Challenge Location. The first line for the domain, the following ones for each additional domain.
# If these start with ssh: then the next variable is assumed to be the hostname and the rest the location.
# An ssh key will be needed to provide you with access to the remote server.
# Optionally, you can specify a different userid for ssh/scp to use on the remote server before the @ sign.
# If left blank, the username on the local server will be used to authenticate against the remote server.
# If these start with ftp: then the next variables are ftpuserid:ftppassword:servername:ACL_location
# These should be of the form "/path/to/your/website/folder/.well-known/acme-challenge"
# where "/path/to/your/website/folder/" is the path, on your web server, to the web root for your domain.
#ACL=('/var/www/${DOMAIN}/web/.well-known/acme-challenge'
#     'ssh:server5:/var/www/${DOMAIN}/web/.well-known/acme-challenge'
#     'ssh:sshuserid@server5:/var/www/${DOMAIN}/web/.well-known/acme-challenge'
#     'ftp:ftpuserid:ftppassword:${DOMAIN}:/web/.well-known/acme-challenge')


# Location for all your certs, these can either be on the server (so full path name) or using ssh as for the ACL
DOMAIN_CERT_LOCATION="ssh:server5:/etc/ssl/domain.crt"
DOMAIN_KEY_LOCATION="ssh:server5:/etc/ssl/domain.key"
#CA_CERT_LOCATION="/etc/ssl/chain.crt"
#DOMAIN_CHAIN_LOCATION="" this is the domain cert and CA cert
#DOMAIN_PEM_LOCATION="" this is the domain_key. domain cert and CA cert


# The command needed to reload apache / nginx or whatever you use.
# Several (ssh) commands may be given using a bash array:
# RELOAD_CMD=('ssh:sshuserid@server5:systemctl reload httpd' 'logger getssl for server5 efficient.')
RELOAD_CMD="service apache2 reload"

# Define the server type. This can be https, ftp, ftpi, imap, imaps, pop3, pop3s, smtp,
# smtps_deprecated, smtps, smtp_submission, xmpp, xmpps, ldaps or a port number which
# will be checked for certificate expiry and also will be checked after
# an update to confirm correct certificate is running (if CHECK_REMOTE) is set to true
#SERVER_TYPE="https"
#CHECK_REMOTE="true"

If a location for a file starts with ssh: it is assumed the next part
of the file is the hostname, followed by a colon, and then the path.
Files will be securely copied using scp, and it assumes that you have a
key on the server (for passwordless access). You can set the user,
port etc for the server in your .ssh/config file.

If an ACL starts with ftp: or sftp: it as assumed that the line is
in the format "ftp:UserID:Password:servername:/path/to/acme-challenge".
sftp requires sshpass.
Note: FTP can be used for copying tokens only
and can not be used for uploading private key or certificates as
it's not a secure method of transfer.

ssh can also be used for the reload command if using on remote servers.

Multiple locations can be defined for a file by separating the locations with a semi-colon.

A typical config file for example.com and www.example.com on the
same server would be:

sh
# uncomment and modify any variables you need
# The staging server is best for testing
CA="https://acme-staging-v02.api.letsencrypt.org"
# This server issues full certificates, however has rate limits
#CA="https://acme-v02.api.letsencrypt.org"

# additional domains - this could be multiple domains / subdomains in a comma separated list
SANS="www.example.com"

#Acme Challenge Location.   The first line for the domain, the following ones for each additional domain
ACL=('/var/www/example.com/web/.well-known/acme-challenge')

USE_SINGLE_ACL="true"

DOMAIN_CERT_LOCATION="/etc/ssl/example.com.crt"
DOMAIN_KEY_LOCATION="/etc/ssl/example.com.key"
CA_CERT_LOCATION="/etc/ssl/example.com.bundle"

RELOAD_CMD="service apache2 reload"

Custom template for configuration

You can create and customize a template that can be use to generate the ~/.getssl/yourdomain.com/getssl.cfg config file, instead of the default one.

Create one of fhe following allowed locations, according to your getssl installation:

sh
/etc/getssl/getssl_default.cfg
/path/of/your/getssl/installation/getssl_default.cfg
~/.getssl/getssl_default.cfg

And define the default values, optionally using the dynamic variables, as in the example below:

sh
# Additional domains - this could be multiple domains / subdomains in a comma separated list
# Note: this is Additional domains - so should not include the primary domain.
SANS="${EX_SANS}"

ACL=('/home/myuser/${DOMAIN}/public_html/.well-known/acme-challenge')

USE_SINGLE_ACL="true"

RELOAD_CMD="sudo /bin/systemctl restart nginx.service"

# Define the server type. This can be https, ftp, ftpi, imap, imaps, pop3, pop3s, smtp,
# smtps_deprecated, smtps, smtp_submission, xmpp, xmpps, ldaps or a port number which
# will be checked for certificate expiry and also will be checked after
# an update to confirm correct certificate is running (if CHECK_REMOTE) is set to true
SERVER_TYPE="https"
#CHECK_REMOTE="true"
CHECK_REMOTE_WAIT="1" # wait 1 second before checking the remote server

Configuration Variables

All variables below can be set at either the account level (~/.getssl/getssl.cfg) or the per-domain level (~/.getssl/<domain>/getssl.cfg). Settings at the domain level override those at the account level.

Variable	Default	Description
`ACCOUNT_EMAIL`	`""`	Contact email for the ACME account (used for expiry reminders, etc.)
`ACCOUNT_KEY_LENGTH`	`4096`	Account key length in bits
`ACCOUNT_KEY`	`"$WORKING_DIR/account.key"`	Path to the account key file
`ACCOUNT_KEY_TYPE`	`"rsa"`	Account key type (`rsa`, `prime256v1`, `secp384r1`, `secp521r1`)
`ACL`		Challenge file locations for the domain and each SAN (local, `ssh:`, `ftp:`, `sftp:`, `davs:`)
`ACME_RESPONSE_PENDING_WAIT`	`5`	Seconds to wait between polling when ACME status is pending/processing
`AGREEMENT`	`""`	Terms-of-service agreement URL; if blank, the CA's current agreement is used
`ARI_ENABLE`	`"true"`	Whether to consult the CA's ACME Renewal Information (ARI) endpoint before renewing
`AUTH_DNS_SERVER`	`""`	Specific authoritative DNS server to use for challenge verification
`CA`	Let's Encrypt Staging	URL of the ACME CA directory. Production: `https://acme-v02.api.letsencrypt.org`
`CA_CERT_LOCATION`	`""`	Destination for the CA (chain) certificate file
`CHALLENGE_CHECK_TYPE`	`"http"`	Protocol used to verify the challenge URL (`http` or `https`)
`CHECK_ALL_AUTH_DNS`	`"false"`	Check the DNS challenge token on all authoritative DNS servers, not just one
`CHECK_PUBLIC_DNS_SERVER`	`"true"`	Also query the public DNS server (with `VALIDATE_VIA_DNS`)
`CHECK_REMOTE`	`"true"`	Check the remote server after install to confirm correct certificate is loaded
`CHECK_REMOTE_WAIT`	`0`	Seconds to wait after `RELOAD_CMD` before checking the remote server
`CSR_SUBJECT`	`"/"`	Subject for the CSR (most fields are stripped by Let's Encrypt)
`DEACTIVATE_AUTH`	`"false"`	Deactivate authorization after each use (requires re-authorization next time)
`DEFAULT_REVOKE_CA`	Let's Encrypt	Default CA server used by `getssl -r` if none is specified on the command line
`DNS_ADD_COMMAND`	`""`	Script/command to add a DNS challenge TXT record
`DNS_DEL_COMMAND`	`""`	Script/command to remove a DNS challenge TXT record
`DNS_EXTRA_WAIT`	`0`	Seconds to wait after DNS propagation before asking the CA to validate
`DNS_WAIT`	`5`	Seconds between DNS propagation re-checks
`DNS_WAIT_COUNT`	`100`	Maximum number of DNS propagation re-checks before giving up
`DNS_WAIT_RETRY_ADD`	`"false"`	Re-run `DNS_ADD_COMMAND` every 10 retries if DNS hasn't updated
`DOMAIN_CERT_LOCATION`	`""`	Destination for the domain certificate file
`DOMAIN_CHAIN_LOCATION`	`""`	Destination for a combined domain + CA certificate file
`DOMAIN_KEY_CERT_LOCATION`	`""`	Destination for a combined private key + domain certificate file
`DOMAIN_KEY_LENGTH`	`4096`	Domain key length in bits (RSA only)
`DOMAIN_KEY_LOCATION`	`""`	Destination for the private key file
`DOMAIN_PEM_LOCATION`	`""`	Destination for a combined private key + domain + CA certificate file
`DOMAIN_STORAGE`	`~/.getssl`	Directory where all per-domain config and certificates are stored
`DUAL_RSA_ECDSA`	`"false"`	Obtain both an RSA and an ECDSA certificate for each order
`FTP_ARGS`	`""`	Extra arguments passed to `ftp` (e.g. `-p` for passive mode)
`FTP_OPTIONS`	`""`	Options inserted into the ftp upload script (e.g. `passive`)
`FTP_PORT`	`""`	Port used for ftp/sftp/ftps/ftpes uploads
`FTPS_OPTIONS`	`""`	Options passed to `curl` for ftps/ftpes uploads (e.g. `--insecure`)
`FULL_CHAIN_INCLUDE_ROOT`	`"false"`	Include the root CA certificate in the full chain file
`GETSSL_IGNORE_CP_PRESERVE`	`"false"`	Don't try to preserve permissions when copying files
`HTTP_TOKEN_CHECK_WAIT`	`0`	Seconds to wait after uploading a token before verifying it
`IGNORE_DIRECTORY_DOMAIN`	`"false"`	Don't include the directory name as the main domain on the certificate
`OCSP_MUST_STAPLE`	`"false"`	Add the OCSP Must-Staple extension to the certificate
`PREFERRED_CHAIN`	`""`	Substring match against issuer CN to select a specific root chain
`PREVENT_NON_INTERACTIVE_RENEWAL`	`"false"`	Disallow non-interactive (cron) reissue of this certificate
`PRIVATE_KEY_ALG`	`"rsa"`	Domain key algorithm (`rsa`, `prime256v1`, `secp384r1`, `secp521r1`)
`PROFILE`	`""`	ACME certificate profile name, if offered by the CA
`PUBLIC_DNS_SERVER`	`""`	Public DNS server to consult alongside the authoritative servers
`RELOAD_CMD`	`""`	Command(s) to reload services after installing a new certificate
`REMOTE_EXTRA`	`""`	Extra `curl` options used when `SERVER_TYPE` is a port number
`RENEW_ALLOW`	`30`	Days before expiry within which renewal is allowed
`REUSE_PRIVATE_KEY`	`"true"`	Reuse the existing private key when renewing a certificate
`SANS`	`""`	Comma-separated list of Subject Alternative Names
`SCP_OPTS`	`""`	Extra options passed to `scp` (e.g. `-i identity_file`)
`SERVER_TYPE`	`"https"`	Service type to check for correct certificate installation (see Server-Types)
`SFTP_OPTS`	`""`	Extra options passed to `sftp` (e.g. `-P 1234`)
`SKIP_HTTP_TOKEN_CHECK`	`"false"`	Don't fetch the challenge URL after uploading the token
`SSH_OPTS`	`""`	Extra options passed to `ssh` (e.g. `-p 1234 -i identity_file`)
`SSLCONF`	`openssl.cnf`	Path to the OpenSSL configuration file
`TOKEN_USER_ID`	`""`	User (and group, as `user.group`) that should own the token file
`USE_SINGLE_ACL`	`"false"`	Apply the first `ACL` entry to all domains, including each SAN
`VALIDATE_VIA_DNS`	`"false"`	Use the DNS-01 challenge instead of HTTP-01

Full details of each variable, with examples, are available in the wiki Configuration Variables page and in the comments of the per-domain config template.

Server-Types

OpenSSL has built-in support for getting the certificate from a number of SSL services
these are available in getssl to check if the certificate is installed correctly

Server-Type	Port	Extra
https	443
ftp	21	FTP Explicit
ftpi	990	FTP Implicit
imap	143	StartTLS
imaps	993
pop3	110	StartTLS
pop3s	995
smtp	25	StartTLS
smtps_deprecated	465
smtps	587	StartTLS
smtp_submission	587	StartTLS
xmpp	5222	StartTLS
xmpps	5269
ldaps	636
postgres	5432
port number

Revoke a certificate

In general revoking a certificate is not required.

Usage: getssl -r path/to/cert path/to/key [CA_server]

You need to specify both the certificate you want to revoke, and the
account or private domain key which was used to sign / obtain the
original certificate. The CA_server is an optional parameter and
defaults to Let's Encrypt ("https://acme-v02.api.letsencrypt.org") as
that is currently the only Certificate Authority using the ACME
protocol.

Elliptic curve keys

You can use Elliptic curve keys for both the account key and the domain
key (different of course, don't use the same key for both). prime256v1
(NIST P-256) and secp384r1 (NIST P-384) are both fully supported.
secp521r1 (NIST P-521) is included in the code, but not currently
supported by Let's Encrypt).

Preferred Chain

If a CA offers multiple chains then it is possible to select which chain
is used by using the PREFERRED_CHAIN variable in getssl.cfg or specifying
--preferred-chain in the call to getssl

This uses wildcard matching so requesting "X1" returns the first certificate
returned by the CA which contains the text "X1", Note you may need to escape
any characters which special characters, e.g.
PREFERRED_CHAIN="$STAGING$ Doctored Durian Root CA X3"

Staging options are: "(STAGING) Doctored Durian Root CA X3" and "(STAGING) Pretend Pear X1"
Production options are: "ISRG Root X1" and "ISRG Root X2"

Include Root certificate in full chain

Some servers, including those that use Java keystores, will not accept a server certificate if it cannot valid the full chain of signers.

Specifically, Nutanix Prism (Element and Central) will not accept the fullchain.crt until the root CA's certificate has been appended to it manually.

If your application requires the full chain, i.e. including the
root certificate of the CA, then this can be included in the fullchain.crt file by
adding the following line to getssl.cfg

sh
FULL_CHAIN_INCLUDE_ROOT="true"

Windows Server and IIS Support

System and software requirements:

Windows Server with DNS and IIS services
One of
- WSL Windows Sub for Linux
  - Ubuntu or any other distro
  - gettssl can be installed inside WSL or using /mnt/ path to windows
- Bash - gettssl should be installed in Windows
  - Git Bash - https://git-scm.com/downloads
  - Rtools4.0 - https://cran.r-project.org/bin/windows/Rtools/

WSL

Installing and configuring WSL 2
- Add remove Windows features and choose "Windows for sub Linux"
- Install a distro like Ubuntu or any other Linux platform
  - If newly added to the system a reboot is required to continue
  - wsl --install -d ubuntu
  - Any user will work
  - Copying files to WSL
    - From Windows open Windows Explorer and browse to \\wsl$\Ubuntu\home\user\ and then place the getssl files and folders .getssl and getssl into users home directory \\wsl$\Ubuntu\home\user\.getssl . or in Windows
  - Open cmd in Widnows and type
    wsl -d Ubuntu /bin/bash /home/UserName/getssl/getssl domain.eu && exit
  - Using a specific distro if not set as default in WSL then use the wsl -d distro command
Notes:
- While configuring WSL please do check the /etc/hosts file if the IP of the domain is correct since it overrides the DNS server.
- Make sure running version 2.

GIT Bash - MINGW64_NT

Install git GIT Bash
"C:\Program Files\Git\bin\bash.exe" --login -i -- path_to/getssl/getssl domain.eu

Rtools Bash - MSYS_NT

Make sure that the path of \rtools42\usr\bin in Windows system environment variables is right before c:\windows\system32\ so that getssl will use the Rtools applications instead of Windows applications such as sort.exe that crashes or speify full path to sort.
\rtools42\usr\bin\bash.exe \Users\Administrator\getssl\getssl domain.eu 2>&1 1>out.txt

Updating DNS TXT records

Using PowerShell to add and delete _acme-challenge records
- dns_add_windows_dnsserver
- dns_del_windows_dnsserver
Notes: The script supports optional second level TLDs. sub.domain.co.uk You can update the reqexp .(co|com).uk to fit your needs.

IIS internet information service

Under folder other_scripts you can find a PowerSheell script iis_install_certeficate.ps1 which generates PFX certificate to be installed in IIS and binds the domains to the PFX certificate.
WSL
- RELOAD_CMD=("powershell.exe -ExecutionPolicy Bypass -File "\\\\wsl$\\Ubuntu\\home\\user\\getssl\\other_scripts\\iis_install_certeficate.ps1" "domain.eu" "IIS SiteName" "\\\\wsl$\\Ubuntu\\home\\user\\ssl\\" "path_to_ssl_dir" )
GIT and Rtools4 Bash
- RELOAD_CMD=("powershell.exe /c/Users/Administrator/getssl/other_scripts/iis_install_certeficate.ps1 domain.eu domain path_to_ssl_dir")