A recipe for installing acme.sh on a grommunio server:
Some ideas for installing acme.sh on a Grommunio system:
- acme.sh normally installs to /root/.acme.sh. My installation is in /scripts/acme, which is not LFSH-compliant https://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard , but this is due to historical reasons. If you do not want to install to /scripts/acme, simply omit the path during installation and specify the original path for the renewal script.
- After installation, the command
acme.sh becomes an alias for the installed script (/scripts/acme/acme.sh). You therefore need to log off and log on again to activate the alias. This also means that the acme command only works for the user who installed the acme.sh script.
- Similar to Certbot, issuing and renewing certificates is performed in standalone mode. This involves stopping Nginx, starting the acme.sh web server to issue or renew the certificate, stopping the web server and restarting Nginx. The certificate is then copied to the grommunio directory and the relevant grommunio services and Nginx are restarted.
- ZeroSSL GmbH is used as CA instead of Let's Encrypt by default in acme.sh. You can change this when issuing the certificate by using the --server letsencrypt parameter.
- Existing Let's Encrypt accounts must be converted to use the acme.sh script. To simplify the process, this recipe uses ZeroSSL. See: https://github.com/maddes-b/linux-stuff/tree/main/acme.sh
- Be sure to enter the mail.kunde.at certificate as the first one in the list. This certificate will also be the name of the certificate bundle. Certbot had a separate parameter (--cert-name) for the certificate bundle name, but acme.sh uses the name of the first certificate for the bundle.
- In this recipe, replace kunde.at with your domain and admin@kunde.at with your e-mail address.
- If you need more than two certificates, simply append the DNS name using the -d parameter.
1. Prepare the installation
- Connect as user root to the grommunio server via SSH like Putty
- Create the home directory for acme.sh as /scripts/acme
mkdir -p mkdir /scripts/acme
2. Verify that the .profile file is present in the /root/ directory
ls -lart /root/.profile
If you see an error like: ls: cannot access '/root/.profile': No such file or directory create the .profile file with:
echo "#" >> /root/.profile
Note: the .profile file is used to store the acme.sh alias.
3. Install acme.sh in the /scripts/acme directory
The admin email for the certificate account is admin@kunde.at replace it with your e-mail address.
cu-rl https://get.acme.sh | sh -s email=admin@kunde.at --home /scripts/acme
If you would like to use Let's Encrypt instead of ZeroSSL, use the --server letsencrypt parameter.
cu-rl https://get.acme.sh | sh -s email=admin@kunde.at --home /scripts/acme --server letsencrypt
Note: The forum software does not allow certain Linux commands to be entered here; remove the dash in cu-rl so that it becomes a single word.
4. Activate the acme.sh alias
Log off and log back in to activate the acme.sh alias for the current user.
Once you have logged on again, check the acme.sh alias using the following command:
alias | grep acme
You should see an alias that looks like this:
alias acme.sh='/scripts/acme/acme.sh'
Note: acme.sh stores an include file in the user's .profile file. Without a .profile file, acme.sh cannot store the alias.
The include is only one line: . "/scripts/acme/acme.sh.env"
5. Issue the first certificate for mail.kunde.at and autodicover.kunde.at
Note: The name of the first certificate is also the name of the certificate bundle. Replace kunde.at with your domain.
acme.sh --issue --standalone -d mail.kunde.at -d autodiscover.kunde.at --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx"
Once the certificate has been created, a message will appear indicating where the certificate is stored.
[Mon May 4 04:50:12 PM CEST 2026] Your cert is in: /scripts/acme/mail.kunde.at_ecc/mail.kunde.at.cer
[Mon May 4 04:50:12 PM CEST 2026] Your cert key is in: /scripts/acme/mail.kunde.at_ecc/mail.kunde.at.key
[Mon May 4 04:50:12 PM CEST 2026] The intermediate CA cert is in: /scripts/acme/mail.kunde.at_ecc/ca.cer
[Mon May 4 04:50:12 PM CEST 2026] And the full-chain cert is in: /scripts/acme/mail.kunde.at_ecc/fullchain.cer
6. Create the renewal script
Create the script /scripts/acme/renew.sh and add the following content to it:
#!/bin/bash
find /etc/grommunio-common/ssl/ -type f -exec chown -h gromox:gromox {} +
systemctl restart nginx postfix gromox-http gromox-imap gromox-pop3 gromox-delivery-queue
Disclaimer: Some lines of this script were stolen ;-) from the grommunio certbot hook script. /usr/share/grommunio-setup/grommunio-certbot-renew-hook
Make the renew.sh script executable with this command:
chmod +x /scripts/acme/renew.sh
7. Install the certificate in the grommunio system
Before installing the new certificate, back up the current certificate in the grommunio folder and copy it to the /root/ directory as backup.
cp -av /etc/grommunio-common/ssl/server.key /root/
cp -av /etc/grommunio-common/ssl/server-bundle.pem /root/
Now install the new certificate:
acme.sh --install-cert -d mail.kunde.at --key-file /etc/grommunio-common/ssl/server.key --fullchain-file /etc/grommunio-common/ssl/server-bundle.pem --reloadcmd "/scripts/acme/renew.sh"
Note: the renew.sh script will restart the web server and the required grommunio services.
Check if all grommunio services are running:
systemctl --failed
Repair any failed services.
8. Check the configuration and certificate
Check the acme.sh configuration
acme.sh --list
You should now see a list of your certificates.
Check your certificate, again replace kunde.at with your domain
acme.sh --info -d mail.kunde.at
You should now see a detailed list of information for this certificate.
9. acme.sh has created a cron job file, check it
Show the cron tab for root with:
crontab -l
You should see a cron job like this:
27 17 * * * "/scripts/acme"/acme.sh --cron --home "/scripts/acme" > /dev/null
Note: "/scripts/acme"/acme.sh is not a typo.
10. Disable the grommunio certbot timer and service
systemctl stop grommunio-certbot-renew.timer
systemctl disable grommunio-certbot-renew.timer
systemctl mask grommunio-certbot-renew.timer
systemctl disable grommunio-certbot-renew.service
systemctl mask grommunio-certbot-renew.service
11. Uninstall certbot
To finish cleaning up, uninstall any remaining Certbot files on the system.
zypper -e python313-certbot python313-certbot-nginx
12. Test the system
With a browser, access grommunio Web at https://mail.kunde.at/web and verify that the certificate was issued a few minutes ago and that the CA is ZeroSSL.
You can view the certificate's subject using:
openssl x509 -noout -subject -in /etc/grommunio-common/ssl/server-bundle.pem
You can view the alternative names using:
openssl x509 -text -in /etc/grommunio-common/ssl/server-bundle.pem | grep DNS
13. Document the certificate creation process
If you need to reissue the certificate (e.g. to add more DNS names), you will require the command used to create the original certificate, i.e. the line that begins with acme.sh --issue. Likewise, if you need to make changes to the certificate installation, you will require the command used to install the certificate, i.e. the line that begins with acme.sh --install. It is wise to document both commands.
14. A systemd timer can be used instead of the cron tab file
Read the documentation on setting up a systemd timer instead of using the cron tab file: https://github.com/acmesh-official/acme.sh/wiki/Using-systemd-units-instead-of-cron
Enjoy Grommunio!
