How to Use an ACME Client to Get Your TLS Certificate¶
If you purchased an ACME certificate subscription from Gandi, you can use the ACME protocol to request, install, and automatically renew your certificate. Your subscription includes two credentials that link your ACME client to your paid subscription. These are known as the EAB Key ID and EAB HMAC Key in the ACME protocol, but in your Gandi account they’re labeled a little differently:
ID — this is your EAB Key ID (
eab-kid)ACME CODE — this is your EAB HMAC Key (
eab-hmac-key)
You’ll also find the ACME server url on the same page, which is the directory URL your ACME client needs to connect to the CA.
This page explains how to use these credentials with the most common ACME clients: Certbot, acme.sh, and win-acme. You only need to follow the section for the client you plan to use.
Before You Start¶
Find your credentials in your Gandi account¶
Log in to your Gandi account and go to your ACME Subscription page.
At the top of the page, you’ll see your subscription’s name, its validity status (Valid), its expiration date, and its Type (for example, Domain validation). This Type tells you which kind of certificate your subscription issues — Domain Validation (DV) or Organization Validation (OV) — which is reflected in the ACME server url.
Below that, you’ll find three fields:
ID — this is your
eab-kid.ACME CODE — this is your
eab-hmac-key. It’s hidden by default; click the eye icon to reveal it, then copy it in full.ACME server url — this is the directory URL for your ACME client, for example
https://acme.sectigo.com/v2/DV. Click the copy icon next to it to copy the full value.
Further down the page, you’ll see the list of domains attached to this subscription. Only domains listed here can have certificates issued against these credentials. Use Add domains if the domain you want to secure isn’t listed yet.
Make sure you have the following before requesting a certificate:
Your ID (
eab-kid) and ACME CODE (eab-hmac-key), copied exactly as shown, with no extra spaces or missing characters. This is the most common cause of abadEABCredentialserror.The ACME server url shown on your subscription page.
Administrator or root access to the server where the certificate will be installed.
Port 80 (for HTTP validation) or access to your DNS zone (for DNS validation) open and available, so the CA can confirm you control the domain.
The domain you’re requesting a certificate for must already appear in the domains list on your ACME Subscription page.
Keep your ACME CODE somewhere secure, such as a password manager. Anyone with your ID and ACME CODE can request certificates against your CA subscription for any domain listed on the page, so treat them the same way you would treat a password.
If you no longer need this subscription, you can remove it from the bottom of the same page using Cancel subscription. Any certificates you’ve already issued will stay valid until they expire, but no further renewals will be possible once the subscription is canceled.
Using Certbot¶
Certbot is the ACME client we recommend if you’re not sure which one to use, since it has the widest support for web servers and DNS providers.
Step 1: Install Certbot¶
If Certbot isn’t already installed on your server, follow the installation instructions for your operating system at certbot.eff.org.
Step 2: Register your ACME account with your credentials¶
Run the following command, replacing --server with the ACME server url shown on your subscription page, --eab-kid with the value from the ID field, and --eab-hmac-key with the value from the ACME CODE field:
sudo certbot register \
--email your-email@example.com \
--agree-tos \
--server dummy_server \
--eab-kid dummy_kid \
--eab-hmac-key dummy_hmac
You only need to do this once per server. If the command succeeds, your ACME account is now bound to your CA subscription, and you won’t need to pass --eab-kid or --eab-hmac-key again on that server.
Step 3: Request your certificate¶
Once your account is registered, you can request a certificate for your domain. If you’re running Apache or Nginx and want Certbot to configure your web server automatically, use the matching plugin:
sudo certbot --nginx \
--server dummy_server \
--domain example.com \
--cert-name example-com
If you’d prefer Certbot to only obtain the certificate files without touching your web server configuration, use certonly instead:
sudo certbot certonly --standalone \
--server dummy_server \
--domain example.com \
--cert-name example-com
To request a certificate covering multiple domains or a wildcard, add a --domain flag for each name, or use -d:
sudo certbot certonly --standalone \
--server dummy_server \
-d example.com -d www.example.com \
--cert-name example-com
Wildcard domains require DNS validation rather than HTTP validation. You can automate this step using a DNS plugin or a manual hook that creates the _acme-challenge TXT record for you.
Note that the CA will only issue a certificate for a domain that’s already listed under your subscription’s domain list. If the domain you’re requesting isn’t listed there yet, go back to your ACME Subscription page and use Add domains before retrying.
Using acme.sh¶
acme.sh is a lightweight, dependency-free shell script and a good option if you’d rather not install Certbot’s Python dependencies.
Step 1: Install acme.sh¶
curl https://get.acme.sh | sh -s email=your-email@example.com
Step 2: Register your account with your credentials¶
Use the ACME server url, ID, and ACME CODE values from your subscription page:
acme.sh --register-account \
--server dummy_server \
--eab-kid dummy_kid \
--eab-hmac-key dummy_hmac
Step 3: Issue your certificate¶
If you’re using DNS validation (required for wildcards), specify your DNS provider’s plugin. If you’re using HTTP validation with a webroot, specify the path instead:
acme.sh --issue \
--server dumm_server \
-d example.com \
-w /var/www/example.com
Step 4: Install the certificate¶
acme.sh doesn’t install certificates into your web server automatically the way Certbot’s plugins do. Instead, use --install-cert to copy the issued files to the locations your web server expects:
acme.sh --install-cert -d example.com \
--key-file /etc/ssl/example.com/key.pem \
--fullchain-file /etc/ssl/example.com/fullchain.pem \
--reloadcmd "systemctl reload nginx"
acme.sh also sets up a cron job automatically during installation, so renewals happen without any further action from you.
Using win-acme (Windows/IIS)¶
If your certificate needs to be installed on a Windows server running IIS, win-acme provides a guided, menu-driven setup.
Step 1: Download and run win-acme¶
Download the latest release from
win-acme.com and run wacs.exe as an administrator.
Step 2: Choose a custom ACME server¶
When prompted, select the option to configure a custom ACME server rather than using the default (Let’s Encrypt). Enter the ACME server url shown on your subscription page, for example
https://acme.sectigo.com/v2/DV.
Step 3: Enter your credentials¶
win-acme will detect that the server requires External Account Binding and prompt you for a Key ID and HMAC Key. Enter the value from the ID field as the Key ID, and the value from the ACME CODE field as the HMAC Key.
Step 4: Complete the wizard¶
Follow the remaining prompts to select the site or domain you want to secure, and the validation method. win-acme will install a scheduled task to handle renewals automatically going forward.
If you run into an issue not covered here, don’t hesitate to contact our Support Team.