acme.sh

DNS_API: https://github.com/acmesh-official/acme.sh/wiki/dnsapi

export domain=domain.tld; 

#RSA over dns:
export cert_path=/etc/nginx/ssl/${domain}/rsa; acme.sh --server letsencrypt_test \
  --issue -d ${domain} -d *.${domain} -k 2048 --dns dns_cf --always-force-new-domain-key \
  --auto-upgrade 1 --reloadcmd "sudo bash -c 'mkdir -p "${cert_path}"; cat '\$CERT_FULLCHAIN_PATH' > "${cert_path}/${domain}.pem"; cat '\$CERT_KEY_PATH' >> "${cert_path}/${domain}.pem"; systemctl reload nginx'"


#ECC over dns:
export cert_path=/etc/nginx/ssl/${domain}/ec; acme.sh --server letsencrypt_test \
  --issue -d ${domain} -d *.${domain} --ecc -k ec-384 --dns dns_cf --always-force-new-domain-key \
  --auto-upgrade 1 --reloadcmd "sudo bash -c 'mkdir -p "${cert_path}"; cat '\$CERT_FULLCHAIN_PATH' > "${cert_path}/${domain}.pem"; cat '\$CERT_KEY_PATH' >> "${cert_path}/${domain}.pem"; systemctl reload nginx'"


#RSA over web:
export cert_path=/etc/nginx/ssl/${domain}/rsa; acme.sh --server letsencrypt_test --issue -d ${domain} \
  -d *.${domain} -k 2048 -w /tmp/le_root --always-force-new-domain-key --auto-upgrade 1 \
  --reloadcmd "sudo bash -c 'mkdir -p "${cert_path}"; cat '\$CERT_FULLCHAIN_PATH' > "${cert_path}/${domain}.pem"; cat '\$CERT_KEY_PATH' >> "${cert_path}/${domain}.pem"; systemctl reload nginx'"


#ECC over web:
export cert_path=/etc/nginx/ssl/${domain}/ec; acme.sh --server letsencrypt_test --issue -d ${domain} \
  -d *.${domain} --ecc -k ec-384 -w /tmp/le_root --always-force-new-domain-key --auto-upgrade 1 \
  --reloadcmd "sudo bash -c 'mkdir -p "${cert_path}"; cat '\$CERT_FULLCHAIN_PATH' > "${cert_path}/${domain}.pem"; cat '\$CERT_KEY_PATH' >> "${cert_path}/${domain}.pem"; systemctl reload nginx'"