Automating SSL certificate issuance is now standard practice in modern web infrastructure management. acme.sh combined with the BEST-HOSTING DNS API lets you fully automate the retrieval and renewal of SSL/TLS certificates — including wildcard certificates — with zero manual effort.

What is acme.sh?

acme.sh is an open-source shell script that implements the ACME protocol (Automatic Certificate Management Environment), used by certificate authorities like ZeroSSL, Let's Encrypt, and others to automatically issue trusted SSL/TLS certificates for free.

acme.sh is one of the most widely used ACME clients in the world — popular for its portability (no dependencies beyond a shell), simple installation, and broad support for DNS providers via DNS API plugins.

What is the DNS-01 challenge and why does it matter?

When issuing an SSL certificate, the certificate authority needs to verify that you actually control the domain. The most common method is HTTP verification — by placing a file on your web server. But that's not always an option, for example with:

  • servers without public HTTP access (internal apps, VPN, mail servers, database servers),
  • wildcard certificates (*.example.com), where HTTP verification simply doesn't work by design,
  • fully automated environments with no web-facing layer.

That's where the DNS-01 challenge comes in: instead of a file on your web server, the certificate authority verifies the existence of a special TXT record in your domain's DNS zone. The entire process can be fully automated via DNS API — acme.sh adds and removes the TXT record automatically.

BEST-HOSTING DNS API and the dns_bh plugin

BEST-HOSTING operates its own REST API for managing DNS records, designed primarily for the DNS-01 challenge automation during SSL certificate issuance. The API lets you programmatically add and remove TXT records in DNS zones managed on our platform.

Our dns_bh plugin has been accepted into the official acme.sh distribution, where it's available as part of the standard installation. There's nothing to download manually — the plugin is ready to use right after you install acme.sh.

What does the DNS API support?

  • Adding TXT records for DNS-01 verification
  • Automatically removing TXT records after certificate issuance
  • HTTP Basic authentication with optional access key management via the customer portal
  • Rate limiting to protect the API

Who is this for?

SSL automation via the BEST-HOSTING DNS API is a great fit for anyone who:

  • manages one or more domains on the BEST-HOSTING platform,
  • needs a wildcard certificate covering a domain and all its subdomains,
  • runs servers or services without public web access on local IP addresses (internal apps, VPN, mail servers, database servers),
  • wants fully automated certificate renewal with no manual intervention needed,
  • integrates certificate management into their own scripts, CI/CD pipelines, or configuration management tools (Ansible, Chef, etc.),
  • runs a smart home setup and needs a trusted SSL certificate for locally hosted services like Home Assistant or similar platforms,
  • manages IoT devices or embedded systems that communicate over HTTPS and require a valid certificate where HTTP verification isn't an option,
  • hosts a NAS or home server (Synology, TrueNAS, Proxmox, etc.) accessible via a custom domain on a local or private network,
  • runs internal company tools — wikis, monitoring dashboards, Gitea, Nextcloud, and similar apps — on private infrastructure not exposed to the internet,
  • and any other devices or services where HTTPS with a valid certificate is desired, but HTTP verification isn't possible.

Security and access management

Access to the DNS API is protected by a unique pair of credentials (BH_API_USER and BH_API_KEY), which each customer generates independently in the BEST-HOSTING customer portal under Profile / REST API.

We recommend:

  • Never share or expose your API key,
  • if you're no longer using an API key, delete or deactivate it,
  • for automation, store your credentials as environment variables or in a secure secrets store,
  • if a key is compromised, delete it immediately and generate a new one in the customer portal.

Getting started

  • A domain whose DNS zone is managed on the BEST-HOSTING platform
  • Command-line access to your server (Linux)
  • API credentials (BH_API_USER, BH_API_KEY) generated in the customer portal

Step 1 — Install acme.sh

curl https://get.acme.sh | sh -s email=your@email.com

After installation, restart your shell — the easiest way is to log out and back in — or run:

source ~/.bashrc

Step 2 — Set your credentials

export BH_API_USER="your_api_user"
export BH_API_KEY="your_api_key"

acme.sh will save your credentials after the first successful use and reuse them automatically for renewals or issuing new certificates. To persist them permanently at the shell level, you can also add these lines to ~/.bashrc or ~/.profile.

Step 3 — Issue a certificate

Single domain certificate:

acme.sh --issue --dns dns_bh -d example.com --dnssleep 120

Wildcard certificate (domain + all subdomains):

acme.sh --issue --dns dns_bh -d example.com -d '*.example.com' --dnssleep 120

Multi-domain certificate (SAN certificate):

acme.sh --issue --dns dns_bh \
  -d example.com \
  -d '*.example.com' \
  -d example2.com \
  --dnssleep 120

The --dnssleep parameter tells acme.sh to wait before verification to allow the TXT record to propagate across DNS. 120 seconds is the recommended safe interval.

Step 4 — Install the certificate

Once issued, you can deploy the certificate to your target application, for example with nginx:

acme.sh --install-cert -d example.com \
  --cert-file /etc/nginx/ssl/example.com.crt \
  --key-file /etc/nginx/ssl/example.com.key \
  --fullchain-file /etc/nginx/ssl/example.com.fullchain.crt \
  --reloadcmd "systemctl reload nginx"

Automatic renewal

acme.sh remembers all parameters from the initial issuance and will automatically renew your certificate approximately 30 days before it expires. A cron job is added automatically during installation — renewals happen completely hands-free.

You can check the status of automatic renewals at any time:

acme.sh --list

Notifications

acme.sh supports sending notifications when a certificate is issued or renewed — including failure alerts. This is especially useful in automated environments where you want to know whether renewal was successful without having to check manually.

Supported platforms include Telegram, Discord, Slack, Matrix, email via SMTP, Pushover, and more. Notifications are configured once and apply to all certificates managed by that acme.sh installation.

Discord:

export DISCORD_WEBHOOK_URL="https://discord.com/api/webhooks/..."
acme.sh --set-notify \
  --notify-hook discord \
  --notify-level 2

Telegram:

export TELEGRAM_BOT_APITOKEN="your_bot_token"
export TELEGRAM_CHAT_ID="your_chat_id"
acme.sh --set-notify \
  --notify-hook telegram \
  --notify-level 2

The --notify-level parameter controls when notifications are sent:

  • 0 — disabled
  • 1 — on failure only
  • 2 — on successful renewal or on failure
  • 3 — always, even when no renewal was needed — every day

More resources

Have questions or need help getting set up? Reach out to our technical support team.

Keywords

SSL acme.sh acme acme.sh

+420 491 618 519 Technical support
+420 491 618 517 Orders, invoicing
podpora@best-hosting.cz Technical support
ucetni@best-hosting.cz Billing department