SSL-ACME
Jump To: Support > KB > NetManager > SSL > ACME
Automated certificate issuance with ACME
Automatic Certificate Management Environment (usually known as ACME) is a method for speaking to a Certificate Authority to automate certificate issuance. Without ACME, it is usually necessary to manually edit DNS records or create files in your web-space to prove that you have control over the domain.
NetManager includes acme.sh which is a command-line ACME client.
The ssltool command that is used to manage certificates can help with the initial setup of acme.sh by giving you a list of acme.sh commands to run.
Steps:
- Run ssltool create with your domain(s) to create the first certificate:
netmanager # ssltool -a dev.externaldomain.com www.externaldomain.com create Using configuration from /etc/netmanager/certs/CA/openssl.conf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 4107 (0x100b) Validity Not Before: Apr 23 11:48:08 2026 GMT Not After : Apr 23 11:48:08 2031 GMT Subject: countryName = GB stateOrProvinceName = Cambridgeshire organizationName = Precedence Technologies Ltd commonName = www.externaldomain.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Subject Alternative Name: DNS:www.externaldomain.com, DNS:dev.externaldomain.com Certificate is to be certified until Apr 23 11:48:08 2031 GMT (1826 days) Write out database with 1 new entries Database updated writing RSA key Created: www.externaldomain.com:1 Domains: www.externaldomain.com dev.externaldomain.com - Run ssltool getacme to get the acme.sh commands:
netmanager # ssltool www.externaldomain.com getacme acme.sh --register-account -m youremailaddress@yourdomain.com acme.sh --issue -d www.externaldomain.com -d dev.externaldomain.com --home /root/.acme.sh -w /usr/export/home/www acme.sh --install-cert --reloadcmd '/usr/local/sbin/certmanage -d www.externaldomain.com' --home /root/.acme.sh --domain www.externaldomain.com
- Run these commands one at a time
- The
--register-accountcommand will only be suggested if this is first time you have used acme.sh with ZeroSSL as a CA:netmanager # acme.sh --register-account -m youremailaddress@yourdomain.com [Thu Apr 23 12:24:50 UTC 2026] Account key creation OK. [Thu Apr 23 12:24:50 UTC 2026] No EAB credentials found for ZeroSSL, let's obtain them [Thu Apr 23 12:24:51 UTC 2026] Registering account: https://acme.zerossl.com/v2/DV90 [Thu Apr 23 12:24:52 UTC 2026] Registered [Thu Apr 23 12:24:52 UTC 2026] ACCOUNT_THUMBPRINT='xxxxxxxxx'
- The
--issuecommand will request the actual certificate. The suggested command will work if (and only if) the domains being requested point to the NetManager's external web address or can be re-directed to it. If this is not the case, you will need to use alternative methods to prove ownership (e.g. dynamic DNS updates - this is beyond the scope of this document). If you are using NetScaler, see below for how to redirect the ACME challenges. N.B. all domains on the certificate will be checked:# acme.sh --issue -d www.externaldomain.com -d dev.externaldomain.com --home /root/.acme.sh -w /usr/export/home/www [Thu Apr 23 12:44:51 UTC 2026] Using CA: https://acme.zerossl.com/v2/DV90 [Thu Apr 23 12:44:51 UTC 2026] Multi domain='DNS:www.externaldomain.com,DNS:dev.externaldomain.com [Thu Apr 23 12:44:53 UTC 2026] Getting webroot for domain='www.externaldomain.com' [Thu Apr 23 12:44:53 UTC 2026] Getting webroot for domain='dev.externaldomain.com' [Thu Apr 23 12:44:53 UTC 2026] Verifying: www.externaldomain.com [Thu Apr 23 12:44:56 UTC 2026] Processing. The CA is processing your order, please wait. (1/30) [Thu Apr 23 12:45:00 UTC 2026] Success [Thu Apr 23 12:45:00 UTC 2026] Verifying: dev.externaldomain.com [Thu Apr 23 12:45:03 UTC 2026] Processing. The CA is processing your order, please wait. (1/30) [Thu Apr 23 12:45:07 UTC 2026] Success [Thu Apr 23 12:45:07 UTC 2026] Verification finished, beginning signing. [Thu Apr 23 12:45:07 UTC 2026] Let's finalize the order. [Thu Apr 23 12:45:07 UTC 2026] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/xxxxx/finalize' [Thu Apr 23 12:45:07 UTC 2026] Order status is 'processing', let's sleep and retry. [Thu Apr 23 12:45:07 UTC 2026] Sleeping for 15 seconds then retrying [Thu Apr 23 12:45:23 UTC 2026] Polling order status: https://acme.zerossl.com/v2/DV90/order/xxxxx [Thu Apr 23 12:45:24 UTC 2026] Downloading cert. [Thu Apr 23 12:45:24 UTC 2026] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/xxxxx' [Thu Apr 23 12:45:24 UTC 2026] Cert success. -----BEGIN CERTIFICATE----- [snip] -----END CERTIFICATE----- [Thu Apr 23 12:45:24 UTC 2026] Your cert is in: /root/.acme.sh/www.externaldomain.com_ecc/www.externaldomain.com.cer [Thu Apr 23 12:45:24 UTC 2026] Your cert key is in: /root/.acme.sh/www.externaldomain.com_ecc/www.externaldomain.com.key [Thu Apr 23 12:45:24 UTC 2026] The intermediate CA cert is in: /root/.acme.sh/www.externaldomain.com_ecc/ca.cer [Thu Apr 23 12:45:24 UTC 2026] And the full-chain cert is in: /root/.acme.sh/www.externaldomain.com_ecc/fullchain.cer
- Once the certificates have been successfully issued, configure certmanage to install the certificates as needed and test. If only using on a NetManager, you can skip this step
- The final
--install-certcommand defines what to do when the certificate gets renewed. You want to run certmanage to install the scripts on all services:netmanager # acme.sh --install-cert --reloadcmd '/usr/local/sbin/certmanage -d www.externaldomain.com' --home /root/.acme.sh --domain www.externaldomain.com [Thu Apr 23 13:00:34 UTC 2026] The domain 'www.externaldomain.com' seems to already have an ECC cert, let's use it. [Thu Apr 23 13:00:34 UTC 2026] Running reload cmd: /usr/local/sbin/certmanage -d www.externaldomain.com Installing on local NetManager only Domain: www.externaldomain.com Serial: C6CD1582E0E8E349A215BBB5BA10DC1C Certificate fingerprint: SHA1: 25:E6:E4:C8:F2:16:EB:0F:32:D7:14:78:5A:4F:69:77:5C:D5:2F:20 SHA256: 2F:93:DB:7D:02:13:79:AF:83:61:23:B9:86:2B:D5:DD:F9:8D:5E:F4:43:E7:BF:1F:3C:1C:BC:9C:7A:E8:9F:73 MD5: 66:1A:1A:B6:96:C0:5D:F4:48:13:8B:AD:59:16:2C:81 local [Thu Apr 23 13:00:34 UTC 2026] Reload successful - Finally ensure a scheduled job is in place to automatically renew the certificates by running
/usr/libexec/build/crontab. This adds the following line to your crontab:10 3 * * 0 /usr/pkg/sbin/acme.sh --cron --home /root/.acme.sh
Using NetScaler to redirect ACME challenges to NetManager's webserver
The NetScaler commands below will allow a certificate to be created for a VPN vServer (i.e. Citrix connection). They are explained in order:
add service "NetManager http" 10.0.0.1 HTTP 80
Create a service definition for NetManager's internal IP address (change 10.0.0.1 as needed)add lb vserver NetManager HTTP 0.0.0.0 0 -persistenceType NONE -cltTimeout 180
Create a service called NetManager. The IP address 0.0.0.0 means it is internal to the NetScaleradd cs action "NetManager ACME" -targetLBVserver NetManager
Create an action called NetManager ACME that targets the internal service created aboveadd cs policy "ACME challenge" -rule "HTTP.REQ.URL.PATH_AND_QUERY.CONTAINS(\"/.well-known/acme-challenge\")" -action "NetManager ACME"
Define a content-switching policy to check for a web request where the path stars with/.well-known/acme-challenge/. I it matches, direct to the NetManager servicebind lb vserver NetManager "NetManager http"
Link the backend NetManager web-service to the NetScaler service called NetManagerbind vpn vserver Internet -policy "ACME challenge" -priority 100
Attach the content-switching policy to a VPN vServer called Internet