Certbot vs asme.sh

I have installed self hosted NextCloud on our VM and it has been working very well so far. The situation is that it is for a few users and I can not spend much time maintaining it. So the preinstalled virtual appliance is a great time saver even though it uses software that I do not know so good - mainly Debian, I am more Red Hat oriented.
But I’ve ran into let’s encrypt certificate problem. Certbot failed somehow and the certificate expired. I tried to make certbot work and even though I’ve found a lot of helpful posts in this forum I was not able to fix it. Basically I’ve got it to the state mentioned in Expired NC certificate and trying to change the module to apache did not work. Finally I decided to ditch certbot in favor of acme.sh ( https://github.com/Neilpang/acme.sh ) and it works like a charm. So I would like to provide few hints how to install acme.sh for others that want to install it…
Installation is quite simple as long as you do not mind downloading and running script from web:
apt-get install socat curl
curl https://get.acme.sh | sh
acme.sh will install itself to ~/.acme.sh and adds itself to cron. Now you need to issue a certificate, it can be as easy as (it uses its own web server, so you need to stop apache):
acme.sh --issue -d www.example.com --standalone
or you can configure apache (in /etc/apache2/sites-enabled/www.example.com.conf ):
Alias /.well-known/ /var/www/tmp/.well-known/
<Directory /var/www/tmp/.well-known/ >
AllowOverride None
Require all granted
Satisfy Any
and then issue a certificate with:
acme.sh --issue -d www.example.com -w /var/www/tmp/
Note that I do use directory /var/www/tmp (you need to create it first and set correct permissions) as systemd is sometimes making /tmp “private” for each service, so it is better not to use /tmp.
After this you should have issued certificate. .acme.sh also did store the values used and will reuse them for renewals. Because of this I would suggest configuring apache as it will be completely automatic without the need to stop apache on each renewal. But If you are having problems with apache not working because of expired certificate, you can use standalone and then change to webroot.
Now you need to install the certificate with (I am using paths from redhat, so I needed to create them and set permissions):
acme.sh --install-cert -d www.eaxmple.com --key-file /etc/pki/tls/private/www.example.com.letsencrypt.key --fullchain-file /etc/pki/tls/certs/letsencrypt_intermediate.pem --cert-file /etc/pki/tls/certs/www.example.com.letsencrypt.pem --reloadcmd "service apache2 reload"
This will install the certificate into specified locations and reload apache. It will also store these values and use them when renewing certs. I did use the redhat directories on purpose so certbot would not mess certificates if it would start working somehow…
And last bit is to configure apache to use the cert and key:
SSLCertificateFile /etc/pki/tls/certs/www.example.com.letsencrypt.pem
SSLCertificateKeyFile /etc/pki/tls/private/www.example.com.letsencrypt.key
SSLCertificateChainFile /etc/pki/tls/certs/letsencrypt_intermediate.pem