SSL Automation

Linux & Kubernetes setup

FairSSL ACME works with all standard Linux ACME clients. Lego is our recommendation for most Linux servers and CI/CD, and cert-manager handles Kubernetes clusters.

Supported platforms

Apache

Debian, Ubuntu, RHEL, CentOS

Lego or Certbot with automatic vhost configuration. mod_ssl is reloaded on renewal.

Nginx

Debian, Ubuntu, Alpine, RHEL

Automatic certificate installation and reload. Works with Lego, Certbot and acme.sh.

HAProxy

Load Balancer / Ingress

Certificates issued via DNS-01 (no port 80 required) and deployed as PEM files to HAProxy.

Kubernetes →

cert-manager

Declarative certificate management in the cluster. ACME Issuer with EAB points directly to FairSSL.

Docker

Traefik, Nginx Proxy Manager

Traefik has built-in ACME. Configure with FairSSL directory URL, EAB and DNS challenge.

Generic Load Balancer

F5, NetScaler, Kemp

Lego or acme.sh issues certificates via DNS-01. Deploy via script or API to the load balancer.

macOS →

Intel and Apple Silicon

Automate certificates on macOS with Lego and a LaunchDaemon. Works on both Intel and Apple Silicon. Use deploy-hook to sync the certificate to any service.

Recommended client: Lego

Lego is a Go-based ACME client that works on all platforms. FairSSL sponsors the project and collaborates directly with its developers. Lego is our recommended client for Linux and CI/CD pipelines.

Why Lego?

✓ Compiled Go binary: no dependencies
✓ Supports ARI (smart renewal)
✓ Supports EAB (FairSSL account binding)
✓ 100+ DNS providers for DNS-01
✓ Cross-platform (Linux, macOS, Windows)

Alternatives

✓ Certbot: the most well-known choice, Python-based
✓ acme.sh: pure shell script, no root required
✓ Caddy: web server with built-in ACME
✓ Traefik: reverse proxy with ACME

Examples

Lego: Issue certificate (recommended)

# Issue certificate with Lego and FairSSL ACME

EAB_KID="dhgbKR8K73PgqAxIij6CDg" \
EAB_HMAC="QAx4jKmABqeYCXGZ1H7-eqG2qkPCtflHo5r51TWpebs" \
lego --server https://fairssl.dk/acme \
     --email info@example.com \
     --eab --kid "$EAB_KID" --hmac "$EAB_HMAC" \
     --domains "example.com" --domains "www.example.com" \
     --accept-tos --dns manual run

Lego: Automatic renewal via cron

# Install as a daily cron job. Lego supports ARI and asks the ACME server daily whether the certificate should be renewed.

32 04 * * * /usr/local/bin/lego --server https://fairssl.dk/acme \
     --domains "example.com" --domains "www.example.com" \
     --email info@example.com \
     --accept-tos --dns manual renew --days 15 --renew-hook "/usr/local/bin/reload-apache.sh"

Random minute and hour prevents all clients from renewing at the same time. With ARI, Lego checks daily whether the CA recommends early renewal. The --days 15 flag is a fallback that forces renewal when 15 days or less remain.

Certbot

# Certbot with FairSSL ACME server

certbot certonly --server https://fairssl.dk/acme \
    --manual --preferred-challenges dns \
    --eab-kid dhgbKR8K73PgqAxIij6CDg \
    --eab-hmac QAx4jKmABqeYCXGZ1H7-eqG2qkPCtflHo5r51TWpebs \
    -d example.com -d www.example.com

Certbot automatically sets up renewal via systemd timer.

acme.sh

# acme.sh: does NOT support ARI

# Register account
acme.sh --register-account --server https://fairssl.dk/acme \
    --eab-kid dhgbKR8K73PgqAxIij6CDg \
    --eab-hmac QAx4jKmABqeYCXGZ1H7-eqG2qkPCtflHo5r51TWpebs

# Issue certificate (--days 30 = renew every 30 days)
acme.sh --issue --server https://fairssl.dk/acme \
    --dns dns_manual -d example.com -d www.example.com --days 30

Note: acme.sh does not support ARI. The --days 30 parameter requests a new certificate every 30 days, not when there are 30 days remaining.

Kubernetes cert-manager

<a href="https://cert-manager.io" class="text-secondary hover:underline font-semibold" target="_blank" rel="noopener">cert-manager</a> is the standard for certificate management in Kubernetes. It supports ACME with EAB and can be configured to point at the FairSSL ACME server.

Setup

# Store the EAB HMAC key as a secret (namespace=cert-manager for ClusterIssuer)

kubectl create secret generic fairssl-eab-secret \
  --from-literal=hmac-key=QAx4jKmABqeYCXGZ1H7-eqG2qkPCtflHo5r51TWpebs \
  -n cert-manager

# Create ClusterIssuer

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: fairssl-acme
spec:
  acme:
    server: https://fairssl.dk/acme
    externalAccountBinding:
      keyID: dhgbKR8K73PgqAxIij6CDg
      keySecretRef:
        name: fairssl-eab-secret
        key: hmac-key
...

We use ClusterIssuer (rather than Issuer) so it is available across all namespaces. The EAB secret must be in the cert-manager namespace for the ClusterIssuer to read it. After kubectl describe clusterissuer the ACME account should show as registered.

Questions about Linux setup

Find answers to the most common questions about SSL certificates and FairSSL.

Can I use Certbot with FairSSL?

Yes. Certbot supports any ACME-compatible server. Specify --server https://fairssl.dk/acme and add EAB credentials on first run. After that, renewal works automatically via systemd timer. That said, we recommend Lego over Certbot for most Linux setups: a single Go binary with no Python dependencies, wider DNS provider coverage, and ARI support. FairSSL sponsors Lego.

Does it work with Docker and containerised applications?

Yes. Traefik has built-in ACME support and can be configured with FairSSL as CA. For other setups you can run Lego or Certbot in a sidecar container or use cert-manager in Kubernetes.

How do I set it up behind an nginx reverse proxy?

Use DNS-01 challenge with FairSSL AutoDNS. That way the ACME client does not need access to port 80: the proxy is irrelevant for validation. Alternatively you can route .well-known/acme-challenge/ from the proxy to the client.

Ready for automated SSL on Linux?

Create a free account and issue your first certificate in under 10 minutes.

Create free account Compare certificates