BestHub
Sign in
Information Security 9 min read

Upgrading an HTTP Site to HTTPS with acme.sh

This guide explains why and how to migrate an HTTP website to HTTPS, covering the differences between the protocols, options for obtaining SSL certificates, step‑by‑step installation of the acme.sh script, generating, installing, and automatically renewing certificates using both HTTP and DNS validation methods.

IT Xianyu
IT Xianyu
IT Xianyu
Upgrading an HTTP Site to HTTPS with acme.sh

Many site owners need to upgrade their sites from HTTP to HTTPS for security and compliance reasons, such as browser warnings and platform requirements like WeChat Mini Programs.

HTTPS adds SSL/TLS on top of HTTP, using a CA certificate to authenticate the server and encrypt traffic; upgrading simply requires installing a suitable certificate.

Certificates can be obtained either by purchasing a paid CA certificate from providers like Alibaba Cloud or Tencent Cloud, or by using free certificates from Let’s Encrypt, which are valid for three months and can be renewed automatically.

The recommended tool for automating Let’s Encrypt certificate issuance is acme.sh , which implements the ACME protocol.

Installing acme.sh requires a single command:

curl https://get.acme.sh | sh

The script installs itself in ~/.acme.sh/ , creates a convenient alias, and sets up a daily cron job to check and renew certificates.

Generating certificates can be done via two validation methods:

HTTP validation: place a verification file in the web root, e.g.

acme.sh --issue -d mydomain.com -d www.mydomain.com --webroot /home/wwwroot/mydomain.com/

DNS validation: add a TXT record to the domain’s DNS, useful when no web server is available.

acme.sh --issue --dns -d mydomain.com

For Apache or Nginx servers, acme.sh can automatically extract configuration and perform validation without specifying the web root:

acme.sh --issue -d mydomain.com --apache
acme.sh --issue -d mydomain.com --nginx

If no service is listening on port 80, the script can run in standalone mode:

acme.sh --issue -d mydomain.com --standalone

Installing the certificate copies the generated files to the desired location, for example for Nginx:

acme.sh --installcert -d
.com \
  --key-file /etc/nginx/ssl/
.key \
  --fullchain-file /etc/nginx/ssl/fullchain.cer \
  --reloadcmd "service nginx force-reload"

Use the /etc/nginx/ssl/fullchain.cer path in the Nginx ssl_certificate directive to avoid chain issues.

The script automatically renews certificates after 60 days; you can also manually trigger renewal with:

acme.sh --renew -d mydomain.com

Updating acme.sh is done via:

acme.sh --upgrade

Automatic upgrades can be enabled:

acme.sh --upgrade --auto-upgrade

or disabled with --auto-upgrade 0 .

For troubleshooting, add the --debug flag (optionally with a level) to the issue command to obtain detailed logs.

Further advanced features are documented on the acme.sh wiki.

automationServercertificateHTTPSSSLacme.shletsencrypt
IT Xianyu
Written by

IT Xianyu

We share common IT technologies (Java, Web, SQL, etc.) and practical applications of emerging software development techniques. New articles are posted daily. Follow IT Xianyu to stay ahead in tech. The IT Xianyu series is being regularly updated.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment